HTTP desync in Discord's media proxy: Spying on a whole platform
a day ago
- #Media Proxy
- #HTTP Desync
- #Security Bug
- A space character in a Discord media attachment link caused a 502 bad gateway error, revealing an HTTP injection bug in the media proxy.
- The bug allowed injection of control characters like line feeds, enabling header injection and queuing of additional requests into the pipeline.
- By poisoning a pooled upstream connection with a PUT request having an oversized Content-Length, the attacker could intercept the next user's request.
- This HTTP desync attack allowed real-time snooping on global traffic of media.discordapp.net, including attachments from public servers and private DMs.
- The attacker scaled the attack using threading and multiple files to capture incoming requests, automating the exfiltration process.
- The bug was reported on 2022-10-02, triaged on 2022-10-03, resolved on 2022-10-12, and awarded a $3500 bounty.
- The root cause remains unclear, possibly involving raw sockets, as standard request libraries typically prevent control character injection.
- In theory, the vulnerability might have allowed spoofed responses to users, though this was not confirmed.