Did you know that Discord attachments are publicly accessible? Did you know that even after deleting an attachment, the link to download the file is still active? In this edition of our leaky app series, we cover how sharing attachment links in Discord can cause accidental public exposure of data. We will also look into the malware abuse case of threat actors using Discord as a malware-hosting platform.
This post is part of an ongoing series of highlighting data exposure concerns in Google Calendar, Google Groups, other Google services, Zendesk, Office 365, Google Photos, and Google Hangouts.
Discord app
Discord is a chat messenger platform that supports voice, video, and text communication. It is used by more than 250 million users with varied interests and is widely used by gamer communities.
Discord servers
The channels or communities created in Discord are called “servers.” Users can search for and join public servers as shown in Figure 1.
Users can also create their own server using their own template or a list of templates as shown in Figure 2.
The servers are assigned with a list of permissions as shown in Figure 3.
The servers are public by default and users have to enable the “Private Channel” option to restrict access and roles. Once the server is created, users can send invites or grant access via link invitations as shown in Figure 4.
Discord app attachments – Public links
Every file uploaded to Discord generates a public link in one of the following formats
- https://cdn.discordapp.com/attachments/<channel_id>/<attachment_id>/<file_name>
- https://media.discordapp.com/attachments/<channel_id>/<attachment_id>/<file_name>
An example of a public link generated for an image is shown in Figure 5.
The generated public link is accessible to anyone without authentication and without having any ties to the server. For example, images shared in a private community can be accessed by anyone on the Internet.
On top of this, the link remains valid even after the file is deleted. This can lead to severe exposure concerns if sensitive or confidential data is uploaded. Users should be careful to never share any sensitive or confidential data on any Discord servers.
Discord app – Netskope Cloud Confidence Audit
The Netskope Cloud Confidence Index (CCI) measures a cloud service’s enterprise readiness and is adapted from the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM). Discord has a CCI of 58, well below the threshold of 75—a score that indicates an app is ready to use in the enterprise. An excerpt from the CCI repo