54 comments

[ 3.8 ms ] story [ 135 ms ] thread
I have a hard time believing this is about blocking malware. Discord doesn't want to be a free file hosting platform anymore, and that's fine, but they shouldn't pretend this is about something else.
Seems like it's two birds with one stone.
I don't think anyone who's worked at a product company can't imagine how some CISO whipping up a bunch of VPs into a frenzy over malware is the most likely scenario.

Definitely more likely than someone actually complaining that the money furnace was burning money in a way that increases engagement, gives people something to stream, and gives people a reason to buy their premium subscription.

Discord allowed hotlinking their files until recently, so it wasn't necessarily driving as much engagement as all that.
Hotlinking doesn't happen in a vacuum: if people were seriously congregating to setup shares and paying for Nitro for the 500MB limit, I doubt anyone would have cross their "activation energy" to blanket ban the links rather than dealing with disruptive servers as needed
I also don't want them to be a perpetual file hosting platform either. I also wish they cleared sufficiently old text messages as well. Of course they won't delete text messages though because they can make more money from them then they can by not storing them.

This just happens to not be the case for larger files. I bet they have tried to find a way to monetize the data harvested from user image associations or possibly image AI training already.

Pleas change your belief then. Discord is a very popular malware distribution platform. It is reliable and corporate networks don't block it. This only solves the malware dropper problem, you still have a ton of stealers that post stolen creds to discord rooms via webhook. Perhaps rate limiting might help there.

But I promise you this is a very prevalent problem, to the point where discord is blocked companh wide at some places because of this this issue.

As someone who worked at a company that hosted content, I can believe it. Malware folks always want to get their content onto legitimate domains where 99.999% of the content is legitimate. The amount of time spent trying to keep your domains clean can be a nightmare. Dealing with abuse can become a major cost.

This doesn't really change Discord away from being a free file hosting platform for anyone that gets the link on Discord. It just prevents someone from uploading a file to Discord and then sending a link to the file along a different medium (email/text/etc).

Hosting files really isn't that expensive given Discord's tiny file size limit and Discord's scale. Cloudflare's R2 charges $0.36/million downloads. The problem is that if you're hosting content on your domains, you have a certain responsibility for the files on those domains. Your domain gets a reputation and at a certain point starts appearing on lists (even if you're a multi-billion dollar company). People trying to spread malware love taking advantage of any place they can store a file on a reputable domain or get a reputable link shortener to redirect to them. I don't blame Discord for wanting to cut them off.

It can perfectly be both. I mean, there's no reason to polarize every decision. On the contrary, the more points it covers, the better justification it has.
Are you suggesting it's about something else?

> After the file hosting change (described by Discord as authentication enforcement) rolls out later this year, all links to files uploaded to Discord servers will expire after 24 hours.

> CDN URLs will come with three new parameters that will add expiration timestamps and unique signatures that will remain valid until the links expire, preventing the use of Discord's CDN for permanent file hosting.

This seems like a pretty straight forward change?

Every email with a cdn.discordapp.com/attachments link has been blocked at the gateway for 60%+ of the Fortune 100 since January 2022. The global configuration history I'm looking at is actually kind of funny, you can see the "god damn it" moment:

    "stateChanges": [
        {
            "state": "ACTIVE",
            "date": "2022-01-19T04:47:37Z"
        },
        {
            "state": "FALSE_POSITIVE",
            "date": "2022-01-26T09:13:03Z"
        },
        {
            "state": "ACTIVE",
            "date": "2022-01-28T00:41:17Z"
        }
    ]
Discord is responsible for handling reports about malicious content, so by shortening the lifetime of all content to 24 hours they're effectively giving themselves a 24-hour response SLA for free. It's a very reasonable move.

Mozilla went through the same thing with Firefox Send and ended up discontinuing it altogether: https://support.mozilla.org/en-US/kb/what-happened-firefox-s....

No Text To Speech[1] covered this in his video a few weeks ago. It seems like a good thing for the health of the platform in general. People like to use Discord as a file locker on 3rd party platforms, and that can cause unnecessary financial strain on what is a free product that has been trying to find ways to monetize itself for quite a while now, (animated profiles being the latest thing).

Of course there's ways around it as it is right now, as shown in NTTS' video, but it requires effort, which the general user won't bother with.

[1] https://www.youtube.com/watch?v=rZ73h1qWb3c

I hope this change gives more people pause about stuffing the entirety of their projects online presence into Discord.

It sucks for search engine indexing and it sucks for providing support for stuff because the conversation moves on before anybody who might help will see your query.

Zig is probably the worst offender of this, especially exacerbated by the lack of adequate documentation.
This may sound odd, but it sounds like the tragedy of a project's success. In the old days you would often find help on an IRC channel, but it worked out, because they were not very busy. These days if your project blows up, no matter what platform you use, you will be overrun with questions because there's just more people jumping on the next hot thing.
On the other hand, it's a lot better than Slack which charges you to search through all your messages in a channel. At least in Discord you can search all messages, even if you can't find them directly from a search engine.

One simple solution to this would be a Discord bot that publishes a log of all messages in a channel to a website, thus making them indexable by Google. This used to be common practice for IRC channels and you'd sometimes find an answer to a programming question in the published logs of some IRC server.

Of course, an even better solution would be for Discord to offer this natively to server admins. Give them an option to make their channel indexable by search engines, and then mirror all the posts to a subdomain. It could even be a funnel for Discord since they could get new users to signup when they land on an answer and need to signup to ask a follow-up question. It could also be a wedge to compete more directly with Reddit.

Bet midjourney will be unhappy.

I'm sure one of the reasons they operate purely as a discord bot is to save $$$ on hosting and bandwidth

I think discord is very happy with Midjourney, who they do billing for, who they've done significant work to support (they're by far the largest discord, and discord has also done UI work to support the midjourney inpainting feature.)

I think it's extremely unlikely this is aimed at midjourney or will affect them negatively. Most of their bandwidth will still happen over discord where users see the images generated to begin with.

Got a source for the UI work?
The midjourney founder talked about it in his "office hours" in the weeks prior to inpainting launch, they were ready with inpainting before discord was done with UI support for it.

The way inpainting in midjourney works is you click "remix region" on the message where the bot posted the generation and UI pops up that lets you select regions of the images, with two different types of shape selector, a rectangle selection tool and a curve selection tool. You send your message back to the bot, which includes those regions, and it only redraws those regions.

I'm more concerned about the loss of content that should probably be preserved in historical grounds. Obviously not all of it is significant but you can't pick and choose and at least some of it will turn out to be of interest to future historians and researchers.
I don't see how this affects Midjourney at all? Expiring links are a technical implementation detail that won't affect regular users of Discord in any way. It's not like they're charging for hosting or bot access unless I missed something.
I can see how this could be annoying in some contexts e.g. going to some project's discord to get answers to a question, searching a channel and finding the perfect answer from awhile back but then not being able to download the file that was attached at the time. I don't think that's super likely to happen though. IME most answers I've searched for were entirely encapsulated in text anyway. The larger problem of using a discord server for such projects still exists, but I don't think this makes it all that much worse.
As far as I understand it, this change is not supposed to change anything about files posted on Discord, as long as you actually view the channel where they were posted. Means: if you find an old post on Discord with a file attached, this should still work. This change is only supposed to make it impossible to take a link to such a file and post that link outside of Discord (e.g. on a website), in which case the link should then expire within 24h after the enforcement is implemented.
Yep - lets not forget links are an abstraction Discord provides for us to access the files. The files themselves would be linked to messages via some internal id, correct? So they can re-generate the link on every message view.
They're not deleting old files, they're just using signed per-user urls to serve them on.

You'll still see old files.

The number of people on this thread who don't understand how prevalent the discord malware problem is stunnig to me. I guess I forget there is a world outside of infosec sometimes. Just google discord malware and you'll find plenty of writeups.

cdn.discordapp.com, if you see anything that isn't actually discord connecting to that domain in your corporate network then it's most likely malware.

Matter of fact, get your own open source stealer malware, github is curating a topic for it:

https://github.com/topics/discord-stealer

I gotta make an HN submission for this lol.

Please do. I had absolutely no idea Discord was used for this purpose in any significant way (although on reflection of course it is because what can be abused on the internet will be abused.)
How do these stealers work? Is the assumption that the victim will download and run an executable? If so, what's discord-specific about it?
A popular one is indie games. An attacker will copy the entire game and distribute it on various platforms as if they were the publisher, and add a setup program - either a MSI or an all in 1 exe. This installer usually has a powershell scripting extension DLL. The worm's first stage loader is this powershell script. It works because the setup program already asked for administrator access, so the PS script runs as admin.

First thing it'll do is disable Windows Defender. Then run a base64 encoded script as a command line arg to powershell as a scheduled task. And so on. Telemetry is sent back to the c2 about what AV was installed, and if it finds itself running in a sandbox or VM it will immediately exit.

I haven't seen them using discord's CDN, but I'm sure some do. Redline seems to have a high amount of customization encouraged in its deployment. Each infection is a few megs of bandwidth, so if you're infection a lot of targets the bandwidth costs can be non trivial, hence using a CDN.

The stealers are spread some other way, discord is used as a place to send the attacker stolen info. Back in the day IRC bots were used in the same way.

The recent discord change affects a different type of abuse though. The attackers upload their malware to discord and use the link to that attachment as part of the infection/dropper phase.

Let's say you get a phishing link, a social media post such as on facebook,linkedin,etc... or a search result on google, malvertising,etc... then that lets you download the desired content except it's an iso,archive, lnk,etc... you open it and the file in it. Little do you know that triggere the infection where powershell, wscript, csc or whatever else is downloading the malware using the discord permalink, if it is any good it will still need additional unpacking and decrypting before it either settles in its new home on your computer or if it is a stealer, it grabs your browser stored passwords (never use that or login to chrome/edge!!! Or mix work/personal accounts!!) , crypto wallets, api keys , interesting files such as config files, credit cards (again browsers lol) and more and posts that data archived using a webhook to the attackers channel/room and the malware will not even touch your disk before disappearing sometimes (reflective .net assembly loading, Thread injection,etc...)

If you have relatives who are not technical, either make them use macos or turn on defender with tamper protection and cloud delivered protection and make sure extensions and hidden files are visible by default. Also change the default file association for js,jse,vbs,vbe,iso,7z,rar,hta,bat,cmd and I am sure I am missing more to notepad.

Thanks for the explanation!

You write:

>it grabs your browser stored passwords (never use that or login to chrome/edge!!! Or mix work/personal accounts!!)

I actually don't know a ton about the Windows permissions model. If the malware can already install a keylogger at this point, doesn't avoiding the use of stored passwords just delay the inevitable? (I guess installing a keylogger could cause it to be detected by antivirus software?) Also, in terms of mixing work and personal accounts -- it's not enough to use separate browsers, I'd have to use separate devices, correct?

What are reflective .net assembly loading & thread injection?

That's quite a list of file extensions! It seems like Windows is astonishingly willing to execute unwanted code. Like, I'm struggling to imagine why I'd be significantly worried about a downloaded .js file on Linux/macOS.

> If the malware can already install a keylogger at this point, doesn't avoiding the use of stored passwords just delay the inevitable?

Browsers sync passwords. all the passwords you saved to everything get exposed to the malware. Most services you use regularly these days don't require frequent logins on the same device either. For example, you may only login to your school/work at a different pc but you sync passwords on the same google account because you also check your personal email there. Now any malware at any of those devices gets your saved password and payment info. Not to mention session cookies!

> I guess installing a keylogger could cause it to be detected by antivirus software?

Maybe, maybe not but the av might clean it up before it gets any creds keylogged. Part of the secuity model for password managers too.

> Also, in terms of mixing work and personal accounts -- it's not enough to use separate browsers, I'd have to use separate devices, correct?

Yes, and avoid allowing chrome and edge to sync stuff, it's very useful for attackers lol.

> What are reflective .net assembly loading & thread injection?

I am sure a google search would be better than me trying to explain those in depth here. Basically you can execute code in memory without having to store the code anywhere on disk, it helps with cheaper av that focus more on disk and registry than memory and api call hooking.

> Like, I'm struggling to imagine why I'd be significantly worried about a downloaded .js file on Linux/macOS.

On windows by default .js is not javascript but jscript, a native script langauge similar to javascript used a lot before powershell was a thing. The windows script host (wscript.exe) will attempt to execute any .js files you double click on by default

What even is the "educational and research purposes" of such a tool?
Ah so they can temporarily allow malware.
What would your solution be? Just stopping people from sharing files altogether?
Discord is so broken that I tend to just upload stuff to OneDrive and share it there.
It’s so disappointing to me that it’s practically a guarantee that free services (like Discord’s file hosting) will come to not only be abused, but abused at scale if they remain free long enough. To me it’s one of the many issues that has eroded away the wonder of the web.

I can’t imagine what it must be like trying to get a foothold as a new image host these days, for example. Your free offering will be misused as soon as you get the smallest amount of traction, which then prompts you to lock it down, which then stymies growth that funnels into paid plans.

(comment deleted)
> There is no impact for Discord users that share content within the Discord client. Any links within the client will be auto refreshed. If users are using Discord to host files, we'd recommend they find a more suitable service.

Is this the first big move to push people off the web onto the desktop/mobile client where they have much more potential to invade privacy?

This has nothing to do with web-client vs mobile-client — it is “files viewed in any form of interactive client” vs “files being hot-linked from external websites”
Web forums have been doing something similar for a long time: They only allow access to “attachment” links when the user is logged in.

What I don’t understand is why Discord still wants to allow temporary access outside their clients.

I was surprised this ever worked to begin with. The first time I saw I could just right-click on a file link in Discord and post it elsewhere and it worked, I couldn't believe it. I then happily started to use it to share lots of files with people. I understand this feature has to go away, but it was nice while it lasted.

I am on a very niche Discord for the Battletoads video game series. I'm a former world record co-holder of the 100% NES co-op category, so, big fan. :) We've been cataloguing and saving every bit of contemporary Battletoads materials we could find and archiving them in Discord: manuals, design materials, concept art, ads, magazine coverage. Snapshots of the franchise juggernaut that never was. I need to move that off Discord and store it somewhere so the whole world can see what we've unearthed here. Battletoads wanted to go real big but a series of unlucky events just never made it. I fear that the lukewarm reception to the latest 2020 game means the series will be dormant at least for another decade.

Right now I'm planning to systematically download all of the our archived materials off Discord, move them up to archive.org, and perhaps start a little page on neocities curating the archive and highlighting some interesting stuff, for example:

Battletoads costumes:

https://cdn.discordapp.com/attachments/829695119803285504/10...

Battletoads novel, written by Rare, as background lore:

https://cdn.discordapp.com/attachments/829695119803285504/10...

Design documents for some levels, suggesting that the Turbo Tunnel might have at one time been the belly of a beast and that's why it looks so organic:

https://cdn.discordapp.com/attachments/829695119803285504/82...

All of these links will be lost, like tears in the rain.

When people use your platform for some other purpose, that is showing a clear gap in the market and product opportunity.

Do you:

A: kick them off your platform

B: turn that usage into a real paid product that meets demand

It's weird that people work so hard to come up with something that people want, and when it falls into their lap, it's seen as parasitic and killed.

Bruh. Discord did not invent a new product here.

This is just people hot linking things and using discord as a free file host. A product/problem that has existed for literally decades.

People wanting/using something for free does not mean you have a great business opportunity, in fact it's usually the opposite. To run a business you need someone to pay you for stuff.

Fair enough.

You're saying the key thing here is leeching bandwidth.