Josh Fraser (joshfraser.lens)'s profile picture
Josh Fraser (joshfraser.lens)
@joshfraser
View on Twitter

Important PSA: Do you run a @discord server? Your private channels are probably not as private as you think. A thread. ๐Ÿ‘‡ 1/15

I recently discovered you can glean insights into the internal workings of any project that's using @discord because the Discord API leaks the name, description, members list, and activity data for every private channel on every server. 2/15

Lots of crypto projects use private channels in @discord to collaborate on not-yet-announced partnerships, upcoming product launches, exchange listings, and coordinate multi-sig signers. 3/15

I've always assumed that @discord's "private channels" were actually private. They have the little ๐Ÿ”’ icon next to them! It's obvious that other teams have made the same (incorrect) assumption: 4/15

The internal Discord channel for @binance is called "๐Ÿ‘”โ”ƒbinance-staff". The description states that it's "hidden from all roles except for Binance staffs". Except it's not. 5/15

Not that it was ever a well-kept secret, but @opensea have a private Discord channel called "โ—Žsolana-launch-partners". 6/15

Similarly, @compoundfinance has a private channel called "๐Ÿ’™coinbase". While their relationship with @coinbase is well known at this point, this could have been significant alpha when it was first created. 7/15

Multiple teams have "private groups" for their multi-sig signers with a publicly visible list of the specific individuals who are members of that channel. Some teams have even posted sensitive directions & wallet addresses in the publicly visible description field. ๐Ÿ˜ฌ 8/15

An anonymous member of a DAO multi-sig could be outed and their physical safety put at risk due to public doxxing. Anonymous whistleblowers or others with a high need for privacy could have their cover blown due to their identities leaking. 9/15

You can also monitor how active a private channel is on @discord. It's not hard to imagine being able to find tradable insights using this data. For example, there may be a flurry of activity right before a big launch. 10/15

When I responsibly disclosed this issue to the team at @discord via @Hacker0x01. They quickly closed it as a "duplicate issue" with the following explanation: 11/15

Since we cannot expect @discord to prevent this data from leaking anytime soon, it's best that everyone is aware of the issue so they can take the appropriate precautions. 12/15

It's worth acknowledging that @discord was originally designed for gamers who have different privacy needs than the high-stakes world of crypto. @OriginProtocol was one of the very first teams to switch over from using @SlackHQ and it was 100% the right decision. 13/15

I'm an enormous fan of @discord and the product they have built. Their product is still the best I've seen for large communities who don't necessarily know or trust each other. 14/15

Please share this thread with anyone you know who is responsible for managing a @discord server.

If we're going to keep the cameras in the showers, people should at least know they are there. 15/15

Help us raise more money for charities by sharing this page โ™ฅ๏ธ
Wait! Before you go...
Grab Exclusive Deals for Books, Courses, Software.
100% of Profits Are Donated To Research-Backed Charities.