The purpose of this writeup is to document a method that can be exploited in order to transfer files to a Discord user's Windows system, without said user's explicit consent. This method does not allow for immediate and direct execution of the file, therefore it does not qualify as an individual security vulnerability.
LSR requires an image file that will not be modified by Discord. Images that have already been compressed are not modified in any way, EOF data is not trimmed or altered. Using such an image, any file can be split into chunks that (combined with the image) don't exceed 8Mb, which is the upload limit for regular Discord accounts. These images containing EOF data can be sent to a user without being altered - file hashes do not match, so remote caching can not be used, and the original image has already been compressed, thus no additional compression will take place. As soon as the user views the given conversation and the images load, they a