Discord is a remote control backdoor. It just isn't an exploit because that's how Discord is designed.
They send a tracking request for every single thing you do in their client. Clicked on someone's profile, clicked on a channel, clicked on a server, etc. The URL was named /track before but they renamed it to "/events" and then recently "/science" (but it's still a POST with no response).
Also their desktop client is literally a remote administration toolkit, it has full access to FS (electron app) and it loads every script from their servers. On launch the desktop client opens websocket server for command and control listening.
They can just add something like require('fs').readFileSync(process.env.HOME + '/.ssh/id_rsa').toString() and send this to their servers, and you won't even notice that (since it doesn't require an update on client because the client is just a browser with full permissions that loads obfuscated code from their servers every time you launch it).
How is this at all surprising? Any non-open source program can do everything you just listen and more. Discord may have been dumb for naming their analytics request point "/track" but that doesn't make them worse than anyone else. I wouldn't be surprised if Word sent every button press to Microsoft. And besides, all the chat data is stored on their servers anyways, so it's not like they get a whole bunch of new data through this.
Well, you have to read past my first sentence. It's a list of things not a thesis statement. Together they make Discord notably bad compared to even other proprietary software. Especially since unlike MS Word where people pay money for the product Discord's product is the user.
But in particular the problem is that it's web crap and it pulls down it's code every time you run it. And now with the websocket backdoor it doesn't even have to do that. This is very different from a compiled program.
It's not surprising but it is also not acceptable. I chose not to use it and encourage others to avoid it.
> Especially since unlike MS Word where people pay money for the product Discord's product is the user
I wish people would stop touting this. Just because you pay for it doesn't mean you aren't being tracked. I would say MS Word is considerably worse because you have to pay for it and it still tracks you.
I think this is less an issue with discord and more an issue with desktop computing in general, and why I personally do my personal business on an iPad whenever I can.
Every application that you run can do everything that you can do. You aren't just trusting Discord not to suck up your keys, you are trusting every application on your system, and maybe even the OS itself.
I prioritized moving to iOS the same day I realized that every application would be restricted to a sandbox. It'd be nice if every application on windows had to beg for permission to read outside of its own sandbox as well, but I doubt we will ever get there due to the sheer amount of legacy stuff hanging around.
They send a tracking request for every single thing you do in their client. Clicked on someone's profile, clicked on a channel, clicked on a server, etc. The URL was named /track before but they renamed it to "/events" and then recently "/science" (but it's still a POST with no response).
Also their desktop client is literally a remote administration toolkit, it has full access to FS (electron app) and it loads every script from their servers. On launch the desktop client opens websocket server for command and control listening.
They can just add something like require('fs').readFileSync(process.env.HOME + '/.ssh/id_rsa').toString() and send this to their servers, and you won't even notice that (since it doesn't require an update on client because the client is just a browser with full permissions that loads obfuscated code from their servers every time you launch it).