This is even more critical for a Private message: let's say you shared a private file (i.e a PII with someone on Discord, and the link somehow gets leaked to someone else. No-one external should be able to access that file if you share its link. When you share a file to a group, all the people in that group are granted authentified access to its link (via IAM permissions or ACLs). IMO here is how this should work (and how most messaging softwares actually work). But since that's not the case, anyone who can see the text contents of your deleted message can also see the image. If deleting the original message deleted the image at the URL, then even if someone could see the log, they couldn't see the image. But having it permanently hosted is a bit worse.Ĭonsider also the case where a server has a bot that logs deletions of messages. Now yes, anyone could have also downloaded the image, which you can't really prevent. You then, say, take 5 seconds (though it could be much longer) to realize your mistake and delete it.Īnyone who copied the link in that time now has this permanent (or at least relatively long-lasting) link. The very real issue is, say, that you post an image containing some private information (address, DOB, security token, private photo, bank account number, whatever) by accident. The real problem here is not some bot guessing the URL, but it is not a non-issue. So no, it does not contain the guild ID, and no, the file name is not modified, but also no, the URL is not guessable (I think). No, it is not gone after deleting the original message, even with ctrl+shift+R. cloud storage exists, which not only have customizable storage limits, but also much, much better support for e.g. if security is that important to you in the first place, you should probably use something that's at least end-to-end encryptedĪs for if companies are using discord to share files. furthermore, it's trivial to make it impossible to guess filenames by adding a randomly generated ID to the file names. I really doubt you'd be able to find a single valid file before getting, say, IP banned by any DoS detection discord might be using. Thirdly, you'd have to guess not only the guild ID and the channel ID, but the file name too. you can only see it because it's in your cache, ctrl + shift + r and you will no longer be able to see it. Secondly, as others have said, delete the original message and the image will be gone. for memes), drastically reducing the load on the CDN. Secondly, when an attachement is deleted, it should be deleted from the CDN too.įirstly, keeping the files around means that you can just copy and paste links (e.g. This mean that you can only see it if you are within the server it was sent on, or if this was sent to you in private. What should be done ?įirst, when you try to access to an attachement it should check if you can see the requested attachement. Because of this, then we may have to ditch Discord as we ditched Skype and TeamSpeak to use something else and get more privacy.Īlso, any attachement we may have sent could be get by anybody with a very simple script that scans urls. Nobody wants their super secret projet to be public because of this problem. It's also a big problem for compagnies that may use Discord to work. You cand delete the picture in Discord but it will remains in the CDN publicly. If you sent something that could be sensitive, a bank account for exemple, then anyone could see it and there's no way for you to prevent it. It also means that anything we send is online forever and can't be deleted at all. Why it's a problem?ĭiscord CDN is public, meaning anyone can see any attachement as long as they have the url for it. Whenever you delete your picture or not, it will be store forever, so you can see it using the same url. When you send an attachement, let's say a picture, to a friend or in a server, it will be store into.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |