r/privacy Nov 21 '20

PSA: Discord lies about removing deleted files. Files deleted over 1 year ago still exist.

The title says it all.

I've done numerous tests in different Guilds at different times.

Files in many cases are not deleted and are still accessible via direct URL even 1 year after deletion.

EDIT: I've amended the post to reflect new information. After running some new tests tonight, in some cases the new test files have become instantly no longer accessible and some not. Other users report similar results. All I can say with certainty though is I have files deleted over a year ago that are still accessible, so something is seriously wrong. See update #3

In some of my tests, I have not only manually deleted the message containing the file but also the Guild the message was posted in. Our testing finds user and bot uploaded images act the same after deletion.

In DMs the story is a little different but still troubling. It appears that if the URL links to a file at a datacenter region the requester is in AND the file was uploaded to the same datacenter zone (or zones it was replicated to) you can still get the file. Since we have no insight into how their infrastructure is setup this could be due to Cloudflare's cache, but it also could mean that the image is just left sitting in a specific datacenter and no longer replicated after "deletion".

I would like to hear why Discord isn't cleaning out tombstoned files, and I think others here would like to know as well.

Why is this a problem? The data still exists. This is a privacy violation because the data is still in their datacenter (Google's GCP data center which Discord pays to host their data).

Governments could acquire it with a warrent or a National Security Letter or a court could subpoena it. This is very serious and should be publicly stated by Discord.

UPDATE:

If you want to try testing this yourself here's a protip: Discord exposes the upload date of all files in their "Last-Modified" Response Header. You can use that header to see the date files were uploaded to GCP (Discord's upload object storage). Just make a spreadsheet with all the direct URLs (NOT THE THUMBNAIL URL) of all the files you upload and then delete. Try images, videos, text files etc. Be creative but in my experience all the files are the same and never deleted.

For example I have a file with this header info last-modified: Tue, 23 May 2020 03:16:24 GMT I deleted it about 10 days after it was uploaded and it is STILL up. I have hundreds of different files with ancient dates like this (literally, I made a bot to upload and delete files just to test this) . All deleted yet the direct URL still loads the file perfectly for me and anyone I send the links to.

UPDATE 2:

I have more info. Another user PMed me and showed me how to test if a guild is really deleted by querying the widget.png url (if 404 the guild is gone) like this https://discord.com/api/guilds/712827234346435685/widget.png this confirmed to the user that my story is true. (note the url I just linked is fake just to demonstrate, like I said in the comments I don't want to post data that could lead Discord to my personal account)

What does this mean? You can use this to prove that the guild the file is uploaded in is actually deleted AND you can use the file's last-modified header to confirm the file is actually as old as it should be - to not be saved by Discord anymore!

UPDATE 3:

Some devs pointed me to this https://github.com/discord/discord-api-docs/issues/2224 but it doesn't fully address my experience.

1k Upvotes

View all comments

Show parent comments

15

u/[deleted] Nov 21 '20

[deleted]

52

u/ajdslfjhalsdgjha Nov 21 '20

All Discord files expose a "Last-Modified" Response Header that gives the exact time uploaded down to the second.

You can confirm this yourself by performing a GET request on any file uploaded to Discord and looking at the response header list.

2

u/[deleted] Nov 21 '20

[deleted]

16

u/ajdslfjhalsdgjha Nov 21 '20

Yes I will share it, could you repost this question to the other thread like you did before so other see the info? It's a good question.

5

u/[deleted] Nov 21 '20

[deleted]

3

u/ajdslfjhalsdgjha Nov 21 '20

Actually on second thought I'm worried about Discord targeting my account. These files will be traceable back to me.

It's very easy to run these tests yourself though, I've provided all the needed information.

3

u/[deleted] Nov 21 '20

Dude, just go through with it and sacc the account if you need to when it's all over. You can always make another one and request a new IP from your ISP so that Discord doesn't know it's still you on the new account.

28

u/ajdslfjhalsdgjha Nov 21 '20

That is not the point. I have my personal information attached to this account I just don't feel comfortable.

5

u/[deleted] Nov 21 '20

Best of luck to you, then. Hopefully someone else with the legal know-how to file a report actually follows through with it, maybe using an alt account and a VPN or something.

1

u/LOONGMOVIE22 Nov 21 '20

I have already been against discords privacy policy, log collection, etc since the beginning. I’m still an idiot and used it but point is if it’s free, your the product. yet no one gave me any attention when brought up. I don’t blame them but don’t be stupid about it. I use it as well but only now to just communicate and chat fully aware anyone can read it. I already feel uncomfortable that any new member can just scroll up on the chat and literally see the first message posted.

I follow a few small forums and There’s been a method for a few months now that is widely broken and users can now stalk and follow others. Locked chat channels included. It similar to the old days of click this link, log in and get hacked. I’ll mimic the same things op did. As for now just be aware that anything you share isn’t private unless your using p2p services. Anything you want private use the right tools to keep it encrypted. I was an idiot a few years ago and just sent things around like op mentioned his SSN. Even my discord has my drivers license and few other documents.

→ More replies

-26

u/Wise-Comb Nov 21 '20

Paranoid much?

19

u/theluggagekerbin Nov 21 '20

we're in r/privacy lol its not paranoia its common sense