Privacy for CDN attachements
What's the point ?
When you send an attachement, let's say a picture, to a friend or in a server, it will be store into https://cdn.discordapp.com/attachments/. Whenever you delete your picture or not, it will be store forever, so you can see it using the same url.
Why it's a problem?
Discord CDN is public, meaning anyone can see any attachement as long as they have the url for it. It also means that anything we send is online forever and can't be deleted at all. If you sent something that could be sensitive, a bank account for exemple, then anyone could see it and there's no way for you to prevent it. You cand delete the picture in Discord but it will remains in the CDN publicly.
It's also a big problem for compagnies that may use Discord to work. Nobody wants their super secret projet to be public because of this problem. Because of this, then we may have to ditch Discord as we ditched Skype and TeamSpeak to use something else and get more privacy.
Also, any attachement we may have sent could be get by anybody with a very simple script that scans urls.
What should be done ?
First, when you try to access to an attachement it should check if you can see the requested attachement. This mean that you can only see it if you are within the server it was sent on, or if this was sent to you in private. If not, an error should be displayed.
Secondly, when an attachement is deleted, it should be deleted from the CDN too.
-
@vinic its not actually miss leading there could be a clould flare error because there is so much viruses in discord cdn
0 -
@Santa you've no idea what you're talking about. You said that you can *browse* it. You cannot.
0 -
@vinci your not supposed to click the link the site: extension is something I learned
0 -
@Santa I still have no idea what you're talking about, and if you're going to demonstrate it by writing a word per post, you're probably not going to get too far or convince anyone. You simply said that you could browse it, you haven't given any hints regarding that and you simply offered the url - which of course it leads one to believe that you can click and browse.
So if you're not going to actually show how this can be done, your intervention is worthless and I'll stop here.
0 -
@vinic becarful though dont download anything from discord cdn that you dont know
-1 -
> There is zero expectation of privacy
Discord is reasonable not to provide perfect guarantee of privacy, but there is definitely more than zero expectation of privacy of the Direct Message feature among normal users of Discord. To mend this gap in information Discord should disclose at the start of every Direct Message explicitly a summary of the retention policies of messages and attachments, and link to the full documents.
Don't give corporates free passes.0 -
This is a big issue.
I migrated my company from Slack to Discord, and now I have to search for another platform. Even maybe go back to slack while this is not fixed.
We love discord, it has all features we needed but it lacks privacy. And since we work with Personal information, credentials, bank accounts, etc. Discord is no longer an option.
I'll keep using discord for personal fun and games, but unfortunately it doesn't have the security neededs for business.0 -
Definitely not good for business, and I'll give you another reason: it's possible for a moderator to delete an entire channel from 2 clicks and no way to recover the lost messages. An attacker hacked one of our colleague's account and wreaked havoc, almost all channels deleted in our Luxonis community. Discord says they can't do anything about. See this which is 3 years old:
https://support.discord.com/hc/en-us/community/posts/360029420552-Grace-Period-for-Deleted-Channel-Recovery0
サインインしてコメントを残してください。
コメント
38件のコメント