HTTP desync in Discord's media proxy: Spying on a whole platform

What happened

A security researcher says they stumbled onto a weirdness in Discord’s media proxy back in 2022 — a stray space in an attachment URL produced a 502 and, after some poking, revealed something worse: the proxy was allowing injected control characters into the proxied HTTP request. That corruption was enough to prematurely terminate a proxied connection and, crucially, to smuggle headers and extra requests into the upstream pipeline. Short story: a tiny typo turned into a window into the plumbing.

How the bug worked

The researcher reports that by sending a crafted request that tricked the proxy into issuing a PUT to a Google Cloud Storage bucket with an oversized Content-Length, the backend would send less data than promised. Connections to GCP were apparently pooled and returned for reuse; the deficit in the PUT's body could then be consumed by the next borrower’s request. In plain English: one request’s declared body could swallow the next request on the same socket. It has been reported that this let the researcher harvest attachment links being fetched across media.discordapp.net in near real time.

Why it matters (and what’s still unknown)

This is the scary bit — real-time visibility into attachments across public servers and private DMs. It wasn’t an edge-case; scaling the technique reportedly only required threading and more files to capture the incoming stream. Isn’t that insane? The researcher calls it one of their most impactful finds, yet admits they still don’t know exactly how control characters were accepted — no decent HTTP library should allow that — so maybe raw sockets were involved. It has been reported that, in theory, spoofed responses might also have been possible, but that claim remains unconfirmed (allegedly). Whether Discord has patched the vector, or how many users were exposed, wasn’t disclosed by the researcher.

Sources: tmctmt.com, Lobsters