Discord saves deleted images to your filesystem

This post outlines a security issue with Discord due to how it handles deletion records and localised caching for media posted in shared channels.

The issue

Media posted in Discord channels is written to the filesystem of every channel participant, even if that media is deleted from the channel immediately after being posted. It's important to note that this form of caching is a common practice and typically employed to facilitate quicker loading of content. However, the fact that Discord allows for the deletion of channel posts without any clear evidence of the deletion may present a potential vector for attack that I think all Discord users should be mindful of.

In an extreme hypothetical scenario, consider if a malicious party was to post indencent images of children or bomb-making plans to a wide-audience Discord channel, then immediately delete the posted images and proceed to file an anonymous report to law enforcement agencies alleging the participants in the channel have copies of that data stored on their filesystems. Whilst some might consider this attack unlikely, the possibility remains, particularly if your threat-model includes state actors with a desire to get their hands on your devices.

Finding your Discord cache

1. Open File Explorer and navigate to %AppData%/discord/Cache/Cache_Data

   

   

2. Right-click in the window and navigate to Open in Terminal

   

3. Rename all files in the folder to use the .png extension by running the command:
   Get-ChildItem -Path "$env:APPDATA/discord/Cache/Cache_Data" -File | ForEach-Object {Rename-Item $_.FullName -NewName "$($_.BaseName).png"}

   

   

Unfortunately, Discord's lack of configuration options adds to this issue. At the time of this blog post, there are no settings present within the application that allows for cache control. My recommendation is simply to be careful what Discord channels you choose to participate in.

Alternatively, you can also opt to employ the use of a Windows Task Scheduler to automatically run a PowerShell script that deletes the folder every 24 hours. Whilst this doesn't solve the problem, it may offer some assurance that cached media won't persist forever. This approach of course also doesn't prevent forensic recovery.

Set up a task scheduler to auto-delete your Discord cache

1. Open a notepad file and paste this command into it Remove-Item -Path "$env:APPDATA/discord/Cache/Cache_Data" -Recurse -Force
2. Save the file somewhere you won't lose it, such as to your Documents folder, and rename it to use the .ps1 file extension (such as discord-cache-deletion.ps1).
3. Open the Windows Task Scheduler by searching for Task Scheduler in the start menu.
4. Navigate to Task Scheduler in the start menu.

5. Click on Create Basic Task in the pane on the right side of the window and then add a name and description for the task.

   

   

6. Configure the Trigger conditions to run Daily

   

7. In the Action step, select Start a program

   

   In the Program/script field enter powershell.exe and in the Add arguments field, enter the file path -ExecutionPolicy Bypass -File "C:/[YOUR_ACCOUNT_NAME]/Documents/discord-cache-deletion.ps1"

   

8. Click Finish to save the task.

   

Follow Jacob Riggs

Jacob Riggs

Jacob Riggs is a senior cyber security professional based in the UK with over a decade of experience working to improve the cyber security of various private, public, and third sector organisations. His contributions focus on expanding encryption tools, promoting crypto-anarchist philosophy, and pioneering projects centred on leveraging cryptography to protect the privacy and political freedoms of others.

E3FE 4B44 56F5 69BE 76C1 E169 E3C7 0A52 9AEF DB6F