The Risks of Discord Client Mods

Thinking of using a Discord client mod? Already using one? Read about the risks Discord Client Mods bring to your account and computer in this article.

The Risks of Discord Client Mods

If you've been around Discord meta circles, you've probably heard of Client Mods more than once. But why shouldn't you use Discord client mods? What do client mods even do? What can happen if you do use client mods? We'll cover all of the above in this article! Don't want to read everything here? Here's a TL;DR you can share.

What do client mods do?

Client mods refer to software that alters how your Discord client works. This is a very broad definition, and there's lots of different things that Discord client mods can do. To help keep things simple, we'll break this down into the two main categories:

API interactions/self-botting

Self-botting refers to using your own Discord account credentials to make calls to Discord's API manually or automatically outside of the Discord client's normal API calls. When thinking of Self-Bots, many people will imagine spambots, however most client mods will self-bot in ways that are less obviously harmful. This can include mass deleting your messages & fetching endpoints for guilds or users that aren't typically called to show more information in-client. While client mod API calls/self-botting are less obvious than dedicated spambots, the atypical activity is still visible on Discord's end, especially if you have data science analytics enabled on your account. Additionally, as API calls from user credentials aren't sent rate-limit headers, it's possible for API calls from a client mod to get you rate-limited by Discord, which can very easily result in you being identified for API abuse.

An example of a mass-delete client mod, you can see it getting rate-limited in this gif.

Client alterations

Client alterations don't directly affect communication between your Discord client and the API, but rather change how the Discord client appears. These changes are more common & more desirable, and include new themes, asset changes & layout changes. Some client alterations will also allow users to show parts of the client not intended for general use, most typically experimental features. Naturally, as these features are experimental, they may cause issues with your client. This can range from non-functional features to crash loops requiring a fresh install. These issues aren't just limited to experiments. Bad code in any client alterations can cause crashes or glitches in your client with visual modifications often rendering the client unusable. Though these visual changes sometimes bring less maintained clients (Like the Linux client) into feature-parity with more maintained ones. It's also worth noting that Discord's analytics report metadata about the client to them, meaning your interactions with the client are tracked. As a result, Discord will easily be able to tell if you're interacting in ways that shouldn't be possible in the client.

An example of theme modifications from a client mod.

How do client mods do what they do?

In simple terms, client mods work by injecting their code into the Discord client. In more complex terms, it varies. There's a plethora of different client mods and plugins out there, and each goes about things slightly differently. The Discord client is built on Electron, which in turn is built on Chromium. This means the client is coded in higher level web languages, like JavaScript. You can actually inject customizations into the Discord client at any time while it's running via Chrome DevTools, but the methods client mods use inject these modifications live & persist across restarts. In order to allow these injections, many security features of the Discord client are disabled. These features sandbox the Discord client, making sure there's a layer of security between code executed on it and the machine the client is running on.

What could happen if I use a client mod?

A lot! People often talk about enforcement from Discord, but the more severe concerns come from running unchecked code on your machine that disables security features in the Discord client. Historically, Client Mods have disabled security features that prevent attacks like XSS and RCE that have already been achieved in the past by security researchers. Disabling these features means your client will be vulnerable to these attacks, which Discord won't release fixes for, as the security features that are enabled by default already fix them. However, client mods have progressively evolved to disable/alter fewer of these security features, with several maintainers for popular client mods mirroring Discord's security concerns. Additionally, you're running code on your PC. You should always read the source of unsigned code, and be able to understand what it's doing on your computer. Some client mods have historically sent usage data to plugin developers, others have allowed potentially dangerous plugins. If you can't read or understand what a client mod or plugin is doing, you should absolutely not be touching it. One of the basic rules for internet safety is to not run executables you don't trust and this should extend to client mods & plugins.

While enforcement on client mod plugins has only gotten better over time, you should always approch any plugins with some trepidation and read their source code where possible. At any time, this software could be changed to be malicious, steal your credentials, or distribute malware. You should always track updates, some client mods will come with self-updaters, and you should consider disabling these features. While maintainers of client mods may not be malicious themselves, if the services they use to distrubte updates are ever compromised, you run a risk of getting malicious code added to your client. This has recently happened with a very widely used library, so it's important to be aware of these risk factors and equally important you understand a client mods code base. You're also adding another layer of exploitable code to your client, while your client may be secure, a client mod could add brand new attack vectors with its codebase. It's worth noting that several token grabbers have been inspired by the injection methods of popular client mods.

While client mods offer a diverse suite of alterations to the client, you should seriously consider the potential risks against the changes they offer. If you're adding unmoderated plugins en masse you're putting yourself at an an increased risk. If you're adamant on using a client mod, ensure you're only using vetted plugins. While the wild west of client mods and plugins stealing your account credentials has lessend, malicious plugins very much still exist.

What's this about token grabbing/malware?

Token grabbing is a method through which code you run on your computer can access your Discord client and steal your credentials. This is similar to your username and password, but allows limited bypassing of MFA and immediate access to your account. This means, without you knowing, a token grabber can steal your account the second it's executed on your computer. We'll be talking about token grabbing more in an upcoming article. token grabbers are a type of malware, or virus. There's many different kinds of viruses that can be distributed over downloaded programs. You should always scan your downloads with an antivirus program!

What about using the Developer Console?

Using Chrome DevTools to inject code to enable or modify various things isn't a good idea unless you know exactly what you're doing with the console. You should know exactly what the code you're running does, and exactly what the potential consequences could be. People being socially engineered into pasting things into the Developer Console became such an issue that, in 2022, Chrome DevTools were disabled by default on the stable client.

What can I do without client modding?

Still quite a few things! You can use legitimate RPC/IPC clients to set a custom status on your Discord account, with buttons, images & more cool things. This is ToS compliant as of the writing of this article. You can also use the appearance settings in the client to customize your experience a little more, or even use a mobile emulator to use the mobile OLED theme on desktop.

So, why shouldn't I use client mods?

  • They disable security features on Discord, making you vulnerable to attacks.
  • They create more room for attacks with the addition of new code.
  • They could steal your information, so make sure you can read their code.
  • Some plugins can automate your account, resulting in API abuse.
  • Discord can likely see that you're using a client mod, and can act on this.
  • Updates can break visual client mods.
  • Using client mods to enable experimental features can make your client crash.
  • You won't get any support from Discord if a client mod breaks your client.
  • Using a client mod is against TOS. You can be actioned at any time.