Picsart Account Discord Sdk [upd] -

The story wasn’t just technical—it was legal. Artify’s terms promised that the SDK would never expose Scrapbook data without explicit folder-by-folder consent. CordChat’s developer policy required that linked accounts maintain least-privilege access.

Maya’s Slack pinged. It was Leo, the Discord-side (CordChat) SDK integration lead. Leo: “Hey. Why are private ‘Scrapbook’ assets showing up as stickers in #general?” Maya’s stomach turned. She opened the logs. picsart account discord sdk

The bug was buried in the account linking handshake—specifically, the scope parameter. When a user clicked “Connect Artify to CordChat,” the SDK requested read:public and write:canvases . But a race condition in the token exchange allowed a malformed callback from CordChat’s rate-limiter to downgrade the scope validation. For 0.03% of users, the SDK defaulted to read:all . The story wasn’t just technical—it was legal

And because CordChat’s CDN cached everything aggressively, those private images had already been served as thumbnails in public channels, reposted by bots, and saved to user libraries. Maya’s Slack pinged