Can you explain this vulnerability to me?

This vulnerability in Discord's WebSocket API allows an observer to detect whether a user is actually invisible rather than offline. The API includes invisible users in the presences array with a status set to "offline," while truly offline users are omitted entirely. This discrepancy leaks information about a user's real presence state, despite the UI showing invisible users as offline. [1]

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can impact you by leaking your true online presence status. Even if you set your status to invisible to appear offline, an observer can determine that you are actually connected and active, potentially compromising your privacy. [1]

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring Discord's WebSocket API responses, specifically by inspecting the `presences` array in the data received. If a user appears in the `presences` array with a status field set to "offline" but still has a presence object (including user ID, empty `client_status`, and empty `activities`), it indicates the user is actually Invisible rather than offline. Commands to detect this would involve capturing and analyzing WebSocket traffic to Discord, for example using tools like `websocat` or `wscat` to connect to the WebSocket API and then parsing the JSON responses for the `presences` array to check for these conditions. [1]

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0