Discord will switch to temporary file links for all users by the end of the year to block attackers from using its CDN (content delivery network) for hosting and pushing malware.
“Discord is evolving its approach to attachment CDN URLs in order to create a safer and more secure experience for users. In particular, this will help our safety team restrict access to flagged content, and generally reduce the amount of malware distributed using our CDN,” Discord told BleepingComputer.
“There is no impact for Discord users that share content within the Discord client. Any links within the client will be auto refreshed. If users are using Discord to host files, we’d recommend they find a more suitable service.
“Discord developers may see minimal impact and we’re working closely with the community on the transition. These changes will roll out later this year and we’ll share more info with developers in the coming weeks.”
After the file hosting change (described by Discord as authentication enforcement) rolls out later this year, all links to files uploaded to Discord servers will expire after 24 hours.
CDN URLs will come with three new parameters that will add expiration timestamps and unique signatures that will remain valid until the links expire, preventing the use of Discord’s CDN for permanent file hosting.
While these parameters are already being added to Discord links, they still need to be enforced, and links shared outside Discord servers will only expire once the company rolls out its authentication enforcement changes.
“To improve security of Discord’s CDN, attachment CDN URLs have 3 new URL parameters: ex, is, and hm. Once authentication enforcement begins later this year, links with a given signature (hm) will remain valid until the expiration timestamp (ex),” the Discord development team explained in a post shared on the Discord Developers server.
“To access the attachment CDN link after the link expires, your app will need to fetch a new CDN URL. The API will automatically return valid, non-expired URLs when you access resources that contain an attachment CDN URL, like when retrieving a message.”
A giant leap forward in the battle against malware
This is a much-anticipated move toward the ongoing challenges Discord faces in curbing cybercrime activities across its platform, seeing that its servers have long served as breeding grounds for malicious activities associated with financially motivated and state-backed hacking groups.
Discord’s permanent file hosting capabilities have frequently been misused to distribute malware and exfiltrate data gathered from compromised systems using webhooks.
Despite the escalating scale of this issue in recent years, Discord has so far struggled to implement effective measures to deter cybercriminals’ abuse of its platform and decisively address the problem or, at the very least, limit its impact.
According to a recent report by cybersecurity company Trellix, Discord CDN URLs have been exploited by at least 10,000 malware operations to drop second-stage malicious payloads on infected systems.
These payloads primarily consist of malware loaders and scripts that install malware, such as RedLine stealer, Vidar, AgentTesla, zgRAT, and Raccoon stealer.
According to Trellix’s data, various malware families, including Agent Tesla, UmbralStealer, Stealerium, and zgRAT, have also used Discord webhooks over the past few years to steal sensitive information like credentials, browser cookies, and cryptocurrency wallets from compromised devices.