Trail of Bits
Audit Open Original ↗

Discord DAVE

Type

Security review

Client

Discord

Date

2024-08

Domain

Crypto

Effort

4 wks

Section

Cryptography Reviews

Trail of Bits's security review of Discord (Aug 2024) identified 11 issues: 4 high, 5 medium, 1 low, and 1 informational.

Findings · 11

  1. 1 Commit spam could prevent group updates Medium
  2. 2 Commit leaf nodes are not validated by the mlspp library Medium
  3. 3 The mlspp library does not validate key package lifetimes Informational
  4. 4 Web client may allow a malicious server to conduct a machine-in-the-middle attack on the session High
  5. 5 Committing members may fail to send Welcome messages Medium
  6. 6 Users could decrypt messages after being removed from the call UI High
  7. 7 Key fingerprint verification is vulnerable to partial preimage attacks Medium
  8. 8 Abuse reporting mechanism is vulnerable to message forgery Medium
  9. 9 DAVE’s media encryption provides weakened forward secrecy guarantees Low
  10. 10 The protocol may fail to encrypt AV1-encoded media frames High
  11. 11 Video frame header length and header data are not authenticated High

Findings extracted from the published report PDF. See the full report below for details and remediation.

Related