HTTP desync in Discord’s media proxy: Spying on a whole platform
HTTP desync in Discord’s media proxy: Spying on a whole platform 2026-04-16 In 2022, I came across a quirky behavior on media.discordapp.net when I miskeyed a space character into an attachment link: a 502 bad gateway. After some fiddling I realized that this was caused by a HTTP injection bug within the media proxy’s request to the upstream GCP bucket. The space character corrupted the proxied HTTP message, which caused the connection to prematurely terminate. For example, a crafted user request to the media proxy would look like this: GET /attachments/a%20b HTTP/1.1 Host: media.discordapp.netAnd it would trigger an upstream request from the backend like so, which is invalid HTTP: GET /attachments/a b HTTP/1.1 Host: discord.storage.googleapis.comThe server also happily passed on…
