Open Bug 1558182 Opened 1 year ago Updated 1 year ago

Discord uses local storage in some way that hides from "manage cookies and site data"


(Firefox :: Preferences, defect, P3)

67 Branch





(Reporter: yumpusamongus, Unassigned)


User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:67.0) Gecko/20100101 Firefox/67.0

Steps to reproduce:

  1. Log in to a Discord account.

  2. Go to about:preferences#privacy -> Manage Data...

  3. Type "discord" in the search box.

  4. Remove All Shown, confirm.

  5. Refresh the Discord tab.

Actual results:

Discord account is still logged in.

Expected results:

Discord account should be fully logged out and all discord-related state discarded. To Discord's, server, this should be completely indistinguishable from a newly-created Firefox profile that has never visited the Discord website before.

Further information: This is likely caused by whatever malware technique(s) Discord is using to discourage third-party clients. The thing they're doing is probably a fully-general way of hiding tracking cookies from the browser UI. I feel that Firefox should be able to protect its users from this form of malware. Perhaps persistent data objects could be tagged with whatever URL was in the bar when they were created, so that they would show up in the search?

The particular user story here is that my browser somehow got logged into a guest Discord account rather than my normal account, and I ended up having to use Google to figure out how to log out through their blackhat UI.

Component: Untriaged → Preferences

Hey ewright, is this something your team would be interested in looking into? It sounds like Discord has found a creative way to "mark" a browser that's immune to clearing site data.

Flags: needinfo?(ewright)
Priority: -- → P3

I'm very interested in this but I don't think we can prioritize it right now. I'll add it to the backlog...

Flags: needinfo?(ewright)
You need to log in before you can comment on or make changes to this bug.