Discord’s lack of read receipts—an intentional privacy promise—has become a vector for a timing‑based tracking flaw. When a user posts a URL, Discord’s backend proxies the open graph image through images-ext-1.discordapp.net to prevent sender‑side load monitoring. The flaw exploits the proxy’s retry logic to reveal when a recipient views the embed.

The bug hinges on two separate fetches: a quick validation request that accepts any image payload, and a later cache‑filling request that hits the user agent’s preview renderer. By returning a valid image once and then a 500 error, the attacker forces Discord to retry six times, each retry clocking a second‑level view session.

A proof‑of‑concept tool automates the chain, clustering bursts of six timed requests to reconstruct how long a message stayed visible. The attacker can even hide the link by using a nearly invisible markdown character, making the embed appear invisible while still triggering the tracking sequence.

Discord responded by tightening the proxy’s error handling and adding a Cloudflare warm‑up step to prevent cached 500s. The discovery, reported via HackerOne in late 2024, earned a bounty and was publicly disclosed in early 2025, underscoring how even privacy‑oriented platforms can expose subtle timing side‑channels.