Discord to Implement Temporary File Links to Prevent Malware Spread

By the end of 2023, Discord will switch to using temporary links for files, with a limited validity period. This measure is intended to make it more difficult for cybercriminals to abuse the company’s CDN (Content Delivery Network) for hosting and distributing malware.

“Discord is changing its approach to attachment URLs to create a safer and more reliable service for users. In particular, this will help our security team restrict access to unwanted content and generally reduce the amount of malware distributed through our CDN,” company representatives stated. “This will not affect users sharing content within the Discord client. Any links in the client will update automatically. If users are using Discord to host files, we recommend finding a more suitable service.”

It is noted that Discord developers may notice minor changes, but the company is “working closely with the community” on these issues. The changes are expected to be implemented by the end of 2023, and developers will receive more detailed information in the coming weeks.

How the New Temporary Links Will Work

According to Bleeping Computer, once the changes to file hosting (described by Discord as enforced authentication) take effect by the end of this year, all links to files uploaded to Discord servers will expire after 24 hours.

The new URLs will include three additional parameters that add expiration timestamps and unique signatures, which will remain valid until the link expires. This will prevent the Discord CDN from being used for permanent file hosting.

Although these parameters are already being added to Discord links, they are not yet enforced. The expiration of links shared outside of Discord servers will only take effect after the company rolls out changes to its authentication system.

“To improve the security of the Discord CDN, three new URL parameters have been added to CDN attachment URLs: ex, is, and hm. After the new authentication rules are introduced at the end of this year, links with a specified signature (hm) will remain valid until their expiration time (ex),” Discord developers explained. “To access a CDN attachment link after it expires, your application will need to obtain a new CDN URL. The API will automatically return valid, non-expired URLs when accessing resources containing CDN attachment URLs, such as when retrieving a message.”

Background: Discord’s Ongoing Malware Problem

These changes are not unexpected, as Discord servers have long been a hotbed for malicious activity by various hacker groups. The ability to host files permanently via Discord has often been used to distribute malware and exfiltrate data from compromised systems using webhooks.

The scale of the problem is well illustrated by a recent report from Trellix, which found that Discord CDN URLs were used by at least 10,000 malware samples to deliver second-stage payloads to infected systems. Most of these were loaders and scripts for installing malware, including RedLine, Vidar, AgentTesla, zgRAT, and Raccoon.

Additionally, according to Trellix, over the past few years, various malware families (including Agent Tesla, UmbralStealer, Stealerium, and zgRAT) have regularly used Discord webhooks to steal confidential information from compromised devices, such as browser cookies and cryptocurrency wallet data.