Privacy for CDN attachements

Comentarios

39 comentarios

  • kyoko

    Have you never seen a message saying anonymous caller cannot access this resource?

    -8
  • SailorKatJuju

    Here's an exemple : https://cdn.discordapp.com/attachments/494194782198038565/694722200531632198/220px-Blue_rectangle.png

    This "image" was send by a friend of mine in private but you can see it if you have the link. Of course you can't browser into https://cdn.discordapp.com/attachments/ but still you can see any ressource in it even if it wasn't sent to you. In this case a blue square isn't a problem at all. However, what if this was something sensitive or could harm someone?

    8
  • Cyanophyceae

    This!!!! I sent a meme in a Webex call on accident. I'm lucky that it wasn't really offensive, however, other people may not be so lucky, and this could lead to some really awful consequences for people. It would be great if I could delete the image from cdn.discordapp.com, as that would fix this issue, at least for my specific situation.

    4
  • JahMyst

    +1 this is a major security issue...

    Files I send to friends in DM are publicly accessible on the CDN: any good bot can fetch those files without even authenticating to Discord !

    Please add authentication to access CDN files shared in private servers and DMs !

    8
  • Anneliese

    If you delete the message, the picture on the CDN will be deleted.

    If you try opening the same URL in your browser, make sure to clear the cache.

    -5
  • zukada

    discord saves the images for ever there is no way you can delete it

     

    and it's already been proven by dozen of people. they come up with counter replies like it'll get deleted after some time automatically, but in fact it does not. :-) so yeah

    0
  • JahMyst

    Even if they're deleted after some time, the real problem is that images are public by default on the CDN, even on private servers. Security by URL obfuscation in 2021 ... Maybe instead of adding Nitro boosts everywhere they should maybe freeze their release cycle and focus a bit on security.

    3
  • somebody

    i believe this is a non-issue.

    firstly, keeping the files around means that you can just copy and paste links (e.g. for memes), drastically reducing the load on the CDN.

    secondly, as others have said, delete the original message and the image will be gone. you can only see it because it's in your cache, ctrl + shift + r and you will no longer be able to see it.

    thirdly, you'd have to guess not only the guild ID and the channel ID, but the file name too. I really doubt you'd be able to find a single valid file before getting, say, IP banned by any DoS detection discord might be using. furthermore, it's trivial to make it impossible to guess filenames by adding a randomly generated ID to the file names...

    re: security by URL obfuscation... it was never meant to be secure. if security is that important to you in the first place, you should probably use something that's at least end-to-end encrypted 

    as for if companies are using discord to share files... you must be doing things wrong. cloud storage exists, which not only have customizable storage limits, but also much, much better support for e.g. collaborating on documents.

    -2
  • nog642

    1. No, it is not gone after deleting the original message, even with ctrl+shift+R. Just tried it.

    2. The URL format is https://cdn.discordapp.com/attachments/{channel ID}/{file ID, I'm guessing}/{filename}. So no, it does not contain the guild ID, and no, the file name is not modified, but also no, the URL is not guessable (I think).

    The real problem here is not some bot guessing the URL, but it is not a non-issue. The very real issue is, say, that you post an image containing some private information (address, DOB, security token, private photo, bank account number, whatever) by accident. You then, say, take 5 seconds (though it could be much longer) to realize your mistake and delete it.

    Anyone who copied the link in that time now has this permanent (or at least relatively long-lasting) link. Now yes, anyone could have also downloaded the image, which you can't really prevent. But having it permanently hosted is a bit worse.

    Consider also the case where a server has a bot that logs deletions of messages. The log will contain this URL. If deleting the original message deleted the image at the URL, then even if someone could see the log, they couldn't see the image. But since that's not the case, anyone who can see the text contents of your deleted message can also see the image.

    2
  • nog642

    Requiring authentication to GET the image from the URL is not a very good solution though. If I click "Open original" from the app, it opens the browser, where I may not be logged in. Would be a pain if I couldn't see the image.

    0
  • 〔🌠〕ExplodingBottle

    Hello, I've discovered something.

    In some case, images can be deleted from the discord cdn.

    You need to create a group, with 3 peoples.

    Then send an image and copy the link of the image.

    Delete the image tell everyone to leave the group. After everyone has left the group, you need to do same.

    Then wait 1 day or 2 without opening the link.

    And now, try to open the link and see a message like:

    <Error>
    <Code>AccessDenied</Code>
    <Message>Access denied.</Message>
    <Details>Anonymous caller does not have storage.objects.get access to the Google Cloud Storage object.</Details>
    </Error>
     
    Here are many examples:
    -1
  • 〔🌠〕ExplodingBottle

    By the way, KatJuju, can you delete the image of the blue rectangle ?

    After one week, you will notice that it will be deleted.

    1
  • JahMyst

    IMO here is how this should work (and how most messaging softwares actually work).

    When you share a file to a group, all the people in that group are granted authentified access to its link (via IAM permissions or ACLs). No-one external should be able to access that file if you share its link.

    This is even more critical for a Private message: let's say you shared a private file (i.e a PII [Personally Identifiable Information] with someone on Discord, and the link somehow gets leaked to someone else. The person should not be able to see the image using the link, only the two persons in the conversation (authentified) should be able to.

    Currently for both those use cases, Discord creates a public CDN link where anyone that can find the link (discussing how complex doing this is completely secondary to this discussion btw) WILL have access to a file shared in a "private" group or a "private" message.

    And yes, if you are not logged in in your browser, you should NOT be able to access that link either... This is simply called authentified access through IAM roles and is highly widespread (look at Slack, Microsoft Teams, Hangouts, etc.... that all work this way).

    None of the messaging alternatives store their files on public CDNs accessible without authentication. Fix it.

    4
  • staringatastar

    At the very least, when an image gets deleted, the CDN should also get deleted. I've tested this and no, the CDN's don't seem to be deleted. That seems very basic and handles the case where someone either doesn't realize they're uploading a resource that is available to anyone with the link, or realizes but still accidentally uploads an image that contains identifiable information has time to remove the resource.

    I can see how in many cases (when uploading funny gifs, memes, etc), it's very convenient to be able to paste images across groups or see the images in a browser without authentication. However, for people who have a private group chat, this is probably not the default use-case for images. I'm sure many of the images sent in a private server or private group are only meant for the members of the group. I don't think it's that much to ask to have an option to make some images only accessible to people authenticated to see them.

    I agree with OP, if this issue isn't resolved by at the very least deleting cdns for deleted images, and ideally by adding an option for some images to only be accessible by members of the group it was shared in, I will have to switch back to another chatting platform (pretty much all of them have this fairly basic feature).

    EDIT: When I tested deleting a message with images, the image did eventually get deleted, though it took about a week, not the 1-2 days people claimed, which is why I didn't think it was happening. I cleared browser cache and didn't revisit the link for a week before I saw the image removed. I'm not sure if revisiting the link delays deletion, since I wasn't planning on spending weeks testing various scenerios. With this in mind, this is no longer a deal-breaker, but it is still very inconvenient, and I still find myself sharing images via other chat interfaces 

    0
  • somebody

    as others have literally said before: they are deleted when the original message is deleted. it doesn't make sense not to.

    as i have literally said before: it's probabilistically impossible to guess an attachment name. it'd take at least, say, a few million tries minimum. you'd get banned from whatever dos/ddos detection they have waaaaaaay before you'd even get to that few million tries to get one attachment (not to mention you have zero control over what attachment you find... making it practically useless)

    and again as i literally said. if you want completely secure communication, discord is not it. just use telegram or matrix or signal or something if you want end to end encryption

    -3
  • JahMyst

    No, as staringatastar has mentioned, the attachment is not directly deleted when the original message is deleted: it can take up to a whole week to remove it from the CDN.

    somebody why come here and comment to defend poor coding security practices made by Discord devs ? DDOS systems don't necessarily catch well-programmed botnets which could test all URLs until they find a private attachements, and potentially use it for malicious purposes. Nothing is 'basically impossible' in Computer Science; so not you nor the Discord dev team should take this lightly; other companies have made the error to overlook security issues and failed miserably...

    Now you said that people should use another tool to share their private PII files if they need to, but the fact is that there is no mention anywhere in the Discord docs or public page that whatever is shared privately is actually on a public CDN, so unless this was explicitely stated people would assume their attachments are secure.

    A fact is that security through URL obfuscation is simply not a good security practice in 2021, please feel free to cite any other serious messaging company that still 'secures' their messages or attachments that way. Adding some `@auth_required` decorator to their attachment endpoint would fix this, literally take a few hours only to commit and test, and avoid a shitstorm.

    "Bear in mind that obfuscating URLs is NOT a security measure. You should never trust outside input - filter, sanitize and implement restrictive logic. No matter how clever you believe your obfuscation scheme to be, people have cracked much more complicated security schemes with relative ease." [StackOverflow]

    1
  • somebody

    ah yes discord can't detect botnets sending millions of requests, the vast majority of which point to resources that don't exist, suuuuuure

    ah yes checking for 403s is very hard

    tl;dr. again. your attachments are secure because it's impossible to find the url. you'd need not only the exact timestamp of the message, but also the exact time the channel was created, *and* the filename to be able to obtain a specific file before either getting completely blocked from access or without trying literally millions (this is a generously low estimate) of times - note that unlike cases in which you have the physical database, the number of requests you can send per second is heavily restricted by bandwidth, whatever ddos mitigation the isp/cdns may have etc. if the attacker does have the exact timestamp of the message and channel, and the filename, your attacker almost certainly already has physical access, meaning they wouldn't even need to use discord to get the file

    the CDN caches content (supposedly for a week) - obviously that means the attachment itself is deleted on discord's end immediately - after all, they have zero reason to keep a file around that is no longer accessible

    addressing that random stack overflow post you found - this is extremely clearly not "obfuscating" a url. it's giving the url an unguessable id (it's not random per se, but it's unguessable since realistically nobody would know the timestamps mentioned above to millisecond precision (even 1 second precision really)). (this is a security measure.)

    ok i can't be bothered explaining further so let's just put it this way. if you want to raise an issue with discord?

    why not raise an issue with google first.

    https://www.theverge.com/2015/6/23/8830977/google-photos-security-public-url-privacy-protected

    -4
  • JahMyst

    Feel free to keep making bogus arguments, I'm not here to change your mind, but to raise the issue for Discord engineers.
    For a quick answer on the Google story - it was a real issue dubbed as a security problem, which has since been fixed ...

    2
  • Emanuele

    I guess you've never had experiences with many API services, also Telegram Bot API that works on HTTP callbacks uses very long string within the URL and it's nearly impossible to have a guess or bruteforce it.

     

    Just mentioning one of your CDN URLs:
    https://cdn.discordapp.com/attachments/834790104820219964/834790220473696326/RobloxScreenShot20210226_170137840.png 

    Do you realize that a bot should guess everything after the .../attachments/ string?
    It would be unbelievable to bruteforce such URL locally, not to mention with HTTP Requests.
    You can't argue about this being unsecure, you can argue about the privacy, but I see the Public URL thing as a feature, I can send a link to a picture or attachment I previously uploaded on Discord to people who don't have access to the platform.

    -1
  • FernandoEXoByte

    This is something that bothers me a lot. I know that is practically impossible to guess a valid URL by brute force but I think that you can never say that a system is 100% secure. I don't feel comfortable to think that any image I send (from personal photos to sensitive information) is public like this, even if it's "hidden" by a long URL.

    Requiring authentication could be an start, and requiring "permission" to the resource (you couldn't access an image I never sent to you) would be better. I know that performance and other issues could appear but what I want to say is that the developers need to think about this "problem" and a solution for it, whether requiring authentication/permission or any other solution that could fix or improve this issue. There will always be different approaches to a problem.

    1
  • Jamie

    +1

    I used to post on a server that turned out to be very shady and ended up getting banned. An online journalist group backed up the content of every message sent on the server up until the point it got banned. The attached link was uploaded in Jan of 2019 and the server was banned about a month after the image was posted. Anyone with enough time and a pirated copy of photoshop can easily reconstruct this:

    https://cdn.discordapp.com/attachments/418492114679365643/538519783885373476/MVIMG_20190125_194431.jpg

    discord has been hosting this image containing personally identifiable information using a publicly accessible URL for over 2 years. Some of y'all are saying this is no issue. The votes on your posts say otherwise.

    When will you just accept that there is still data on discords servers that should not be there?

    2
  • somebody

    oh, no that's definitely an issue. discord doesn't delete messages from banned/deleted servers for some reason (probably because they don't delete messages individually)? it's a Very Very Bad Thing™ but imo that doesn't fall under this issue

    also you don't even need photoshop... even krita/gimp/paint.net is enough

    note that this issue will *not* solve anything re: that banned server thing - if they backed everything up they could well have backed up *all* the attachments on *their own* pcs already (or even just reposted to another discord server) - discord can't do anything to delete those (note that i'm not saying not deleting isn't a bad thing, because it definitely is, i'm just saying it wouldn't have helped in this specific situation)

    but also re: that incident, might want to contact discord support directly? might as well try to get that looked at given that it's not like discord even responds here

    -2
  • StarRanger

    Out of curiosity, does discord changing embeds to "media.discordapp.net" instead of "cdn.discordapp.com" change any of this? (If so for the better or worse?) Because I ran into a completely separate issue where the former won't load the preview videos for me and changing the embed link to the latter fixes that issue. And that's how I ended up here

    1
  • Project_Beta

    I was curious about this and decided to test it.
    Image https://cdn.discordapp.com/attachments/857030030035255336/874870834794217522/unknown.png
    Copy  https://cdn.discordapp.com/attachments/857030030035255336/874870859880362044/unknown.png
    As of now, that I just deleted the image but left the copy there for reference.

    As expected you would see the copy but not the image. which means that CDN does delete the image but sometimes leaves it there because Cloudflare cache the image to their server in case anyone wants them and prevents too much strain on discord's server from requesting the same file over and over.

    This is just my hypothesis though. My words aren't absolute

    Sorry for Necroposting I just think people need to know this seeing that this is the top post when searching "Does discord remove links to deleted attachments" on google. Some people did say that the files are deleted but seeing the negative number just makes it look not unbelievable.

    I can't say much for the fact that all links are public though. That's a privacy concern if for some reason someone got a hold of your browsing data, even if you changed your password, the link to all the images you ever viewed on a different tab will always be there unless you deleted it.

    1
  • somebody

    StarRanger see this - media.discordapp.net is the image resizer, which (i'm assuming) also turns gifs and mp4s into the still frames/thumbnails

    1
  • JahMyst

    Related: https://www.zscaler.com/blogs/security-research/discord-cdn-popular-choice-hosting-malicious-payloads
    Quote: "For example, an attacker can upload a malicious file on a Discord channel and share its public link with others—even non-Discord users can download it. Worse, a file sent from Discord is there forever, so even if an attacker deletes a file within Discord, its link can still be used to download the malicious file. "

    Related: https://github.com/discord/discord-api-docs/issues/2224
    Last thread message (devs): "This is actually a Discord infrastructure limitation. It is something we've been tracking internally and will likely eventually be fixed, but as it is not related to the API or Bots I've closed this issue."

    Related: https://www.netskope.com/blog/here-comes-troublegrabber-stealing-credentials-through-discord
    Quote: "In October 2020 alone, we identified more than 5,700 public Discord attachment URLs hosting malicious content, mostly in the form of Windows executable files and archives. At the same time, we scanned our malware database for samples containing Discord URLs used as next stage payloads or C2’s."

    Even if the CDN URL is hard to guess, this mechanism could be used for malicious intents as shown above, so fixing this would a good step ... As for the problem of pasting an image (e.g a meme) into another channel, there could be a popup on Ctrl + V asking "Do you want to share the document with the channel ? y/N" and it would add the required IAM permissions ... Similar to what Google does when you paste a document into a Chat thread.

     
    1
  • sweetpotato

    This is definitely an issue.

    The main argument for defending this behavior is "It would be impossible to find the URL, it would require to crack the 3 strings and it gets exponentially difficult", but this seems to me not true at all :

    The image name is very, VERY, often "unknown.png", because people take screenshots or copy images from the internet all the time.

    Then the attachment id, despite I have no clue how it is generated, seems to be an always growing value.

    Finally the channel id is not really something private : you could for example still have the channel id of some channel you do not have access to anymore.


    With all that, it would be quite easy to find all images pasted to a channel on which you are not :

    Ex : someone sends me this image:  https://cdn.discordapp.com/attachments/123456789123456789/987654321987654321/example.png

    I know that there will probably be pictures called https://cdn.discordapp.com/attachments/123456789123456789/[attachment_id]/unknown.png
    where [attachment_id] < 987654321987654321

    Then we just have to figure out the rate at which the attachment_id grows and we can target specific time periods

    1
  • Tupper

    I actually disagree with this!

    Necessarily, if the Discord CDN is a public CDN, it should be treated as one. It is a dumb content delivery network and there are zero access rules intentionally. The responsibility of this CDN is to deliver files and no more. There is zero expectation of privacy and the best you've got is obscurity-based security via the snowflake ID (which is not trivial to guess). Don't send things via Discord attachments that you want to keep 1000% secure.

    I could see a new service being used for this, where there's a layer of authentication required to view images sent in a "secure" mode or something like that. But I, like many others (perhaps unwisely) use images uploaded to Discord's CDN as a temporary file host so I don't have to reupload content to multiple people, or to reference back to for ref images, or etc etc. So changing default behavior would be confusing.

    In short:

    • Do not change the current CDN's behavior, that would be unwise, confusing, and complicated. It would also break a lot of current workflow.
    • Introduce a new service as a feature (perhaps lock it behind Nitro initially, if you want) that lets you send a "secure file link". This is not a default behavior and must be explicitly chosen in the file upload modal.
    • This secure link passes through Discord's oAuth and requires that you authenticate as the recipient (or sender) in order to download the resource.
    1
  • studiohawaii

    you can browse discord cdn just put site:https://cdn.discordapp.com/ in the url bar

    -3
  • vinci

    @Santa this is false and therefore misleading. I get an 1020 error code from cloudflare.

    0

Iniciar sesión para dejar un comentario.