tmctmt

Spying on everybody's Discord attachments with HTTP desync tmctmt.com/posts/http-des…

everyone is familiar with the "reddit killed forums" discourse, but have you ever seen a site actually metamorphosize into reddit?

@tester47546 The exploit hinged on the GCP connection being HTTP/1, otherwise Discord wouldn't have been able to introduce a CRLF injection vector.

@tmctmt Congrats. How is something like this can even possible with http/2 today? I only see one case where downgrading happens . But not much

Spying on everybody's Discord attachments with HTTP desync tmctmt.com/posts/http-des…

🤞