Did you know that Discord attachments are publicly accessible? Did you know that even after deleting an attachment, the link to download the file is still active? In this edition of our leaky app series, we cover how sharing attachment links in Discord can cause accidental public exposure of data. We will also look into the malware abuse case of threat actors using Discord as a malware-hosting platform.
This post is part of an ongoing series of highlighting data exposure concerns in Google Calendar, Google Groups, other Google services, Zendesk, Office 365, Google Photos, and Google Hangouts.
Discord app
Discord is a chat messenger platform that supports voice, video, and text communication. It is used by more than 250 million users with varied interests and is widely used by gamer communities.
Discord servers
The channels or communities created in Discord are called “servers.” Users can search for and join public servers as shown in Figure 1.
Users can also create their own server using their own template or a list of templates as shown in Figure 2.
The servers are assigned with a list of permissions as shown in Figure 3.
The servers are public by default and users have to enable the “Private Channel” option to restrict access and roles. Once the server is created, users can send invites or grant access via link invitations as shown in Figure 4.
Discord app attachments – Public links
Every file uploaded to Discord generates a public link in one of the following formats
- https://cdn.discordapp.com/attachments/<channel_id>/<attachment_id>/<file_name>
- https://media.discordapp.com/attachments/<channel_id>/<attachment_id>/<file_name>
An example of a public link generated for an image is shown in Figure 5.