Skip to main content

Embedding the Un-Embeddable

· 9 min read
Simulping

Feature image A 567.14 MB, 12 min 11 s, 2K (2,048 x 858), VP9 + Opus, 6.51 Mbps average, Blender short film "Cosmos Laundromat"

A Scenario

While chatting in your favorite Discord servers & group chats, you may see a friend send a weird link. You might even consider it suspicious on first glance. It is a video featuring an image of a movie poster with a play button that is almost begging to be clicked. Naturally, you click it.

It loads for a second, and to your surprise it is a full-length, 90-minute (sometimes even two hour)-long unauthorized copy of a movie. If you don't know exactly what is going on, you probably sit there dumbfounded as a pixel perfect HD movie plays back. You may have expected a stereotypically muddy, blocky, laggy shitpost, but this has defied your expectations.

stolen.shoes

The truth is, there are multiple site that do this. Currently, there are five at the time of writing. Below is a list the ones I am currently familiar with:

The big question is, how do they work? Let's get to dissecting.

But First, a Quick Disclosure

The Codec Wiki unequivocally condemns any form of piracy, including the unauthorized distribution of copyrighted content. This blog post is intended to educate & inform. You may not use the tools discussed to infringe upon the intellectual property rights of content creators without serious legal risk. We encourage our readers to respect copyright laws & use the tools we discuss here appropriately.

How it Works

The entire scheme is actually very simple, as it is all just HTML meta tags (If you are familiar with web development, this is all a walk in the park).

The technology's inner working can be divided into two distinct parts. First, let's see how it works on the website's end.

The Website's End

If you view each website's source, you will find this specific line in each one but they may have a different order:

<meta property="og:image" content="https://example.com/i/someimageforthumbnail.jpg">
<meta property="og:type" content="video.other">
<meta property="og:video:url" content="https://example.com/v/video.mp4">
<meta property="og:video:width" content="1920">
<meta property="og:video:height" content="1080">

These are the head parts of HTML, which dictate metadata for the document itself such as what the website title/name is, cosmetic embed, defining the site's icon, etc. They are usually found in between the <html> and <body> tags. Here's an example of a static HTML site serving one specific video:

<!DOCTYPE html>
<html>
<head>
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<link rel="shortcut icon" type="image/x-icon" href="../favicon.ico"/>
<title>some embed site</title>
<meta property="og:image" content="https://www.themoviedb.org/t/p/original/3U0vksjSY9LWe3Dqfr6xkgd3iQP.jpg">
<meta property="og:type" content="video.other">
<meta property="og:video:url" content="https://upload.wikimedia.org/wikipedia/commons/3/36/Cosmos_Laundromat_-_First_Cycle_-_Official_Blender_Foundation_release.webm">
<meta property="og:video:width" content="2048">
<meta property="og:video:height" content="858">
</head>
<body>
<h1>Hi</h1>
<p>Just your friendly neighborhood video embed site</p>
</body>
</html>

< br /> These interactive sites usually deploy a live script, like a Javascript framework. Examples are NodeJS, ExpressJS, Svelte, etc. These are used to parse video and thumbnails realtime so they can be embedded on Discord (or potentially other platforms).

Discord's End

Traditionally, Discord's media embedder will impose it's own video embed size limit (50 MiB) when a user sends a direct video link as usual. But in this case Discord will embed the thumbnail first, not the video. You could say the link "tricks" Discord by showing a "false face" first.

Strengths & Limitations

After a combination of countless hours of observation, rigorous testing throughout the period of a year, and conversations with the sites' creators, the current strengths & limitations of this exploit are enumerated below.

Strengths

  • You can embed non-web compatible codecs such as HEVC in MP4/MOV, but the user must be using a compatible browser. Thorium or Safari version 13 or greater will work for HEVC playback.
  • There is no maximum size. You could embed a video the size of a raw Bluray, although I do not condone this unless you have the necessary legal permissions to do so or you're uploading a Creative Commons licensed movie like Big Buck Bunny while adhering to the restrictions of the applicable Creative Commons license. This also means you can send high bitrate gaming clips to your friends without any restrictions, assuming you already have a place to upload them.

Limitations

  • You can only use hotlinks, which means direct linking to the video itself ending in the appropriate file extension such as .mp4. Cloud services like Google Drive or OneDrive will not work for storage.
  • You cannot use Discord's CDN (cdn.discordapp.com) as the video source. I assume this is because of Discord's proxy blocking embeds over 50 MiB, but only discord.nfp.is can do this, as it proxies cdn.discordapp.com itself.
  • You cannot embed videos in any resolutions higher than 3840 x 2160, Discord imposes a hard limit for this on all video after it was discovered that some videos could play normally but then be maliciously scaled to ridiculous resolutions during playback to crash Discord.

Differences between Sites

As mentioned before, there are five known sites at the time of writing. They all serve the same function, but one may interest you more than another due to slight differences in features & functionality.

Here are the sites, each with one noteworthy special benefit:

That concludes the technical overview! Next, let's cover the history of this exploit.

The Lore

Dwayne

In around April of 2022, a Reddit user going by the name of u/CreativeGamer03 posted a video on r/discordapp of a link where a GIF of Dwayne "The Rock" Johnson plays caption with "Is this a GIF or is it a video?" When played, a low-quality music video of Rick Astley's "Never Gonna Give You Up" plays.

The link used is now unfortunately removed.

Discovery

On 23rd June 2022, a Discord user Clybius on the AV1 Community server asked people for VP9 or H.264 videos that were over 100 MB in size. At the time the current 500 MB nitro tier did not exist. They then decided to use a 59 minute 1080p sample video of nature scenery from around the world with a thumbnail featuring a GIF of a waterfall to test the exploit. It worked.

He tried shortly afterward with AV1. Eureka, it also worked:

AV1

Clybius confirmed that this could be patched if discovered. He cites having had the idea from the Dwayne Johnson example above, but forgetting about it for a couple of months. So, it seems this entire concept stemmed from a silly rickroll.

Dwayne

The Experiments & Interactive Site

After the discovery of AV1 embedding, experimentation brought about the discovery that any video codec will work as long as the user can decode/play the codec and the container/extension is an MP4, MOV, or WebM. These are all traditionally web-compatible containers. If you're interested in learning about containers, please see the Containers section on the Terminology page.

This applies to HEVC, ProRes, xHE-AAC, and other bizarre codecs that are rarely seen on the Web.

While experimentating, Clybius converted one their idle domains stolen.shoes into an interactive embedder that provided a textbox for a video URL, a thumbnail URL, a width value, & a height value for the desired video. This would be the first website for Discord embedding.

Virality

It's not long before people outside of the AV1 Community discovered stolen.shoes, and its popularity increased rapidly. Its use usually involved the illicit distribution of full-length, unauthorized copies of movies; this sometimes happened very shortly after some movies were released. There were a couple notable instances of this happenening that caused quite the stir online each time.

  • The first instance featured the DreamWorks sequel of "Puss in Boots (2011)", "Puss in Boots: The Last Wish (2022)". A 1080p video sourced from a streaming site was the first wake up call that attracted attention to the existence of these embed sites. This example used stolen.shoes.

puss

  • The second instance was when highly-anticipated animated film "The Super Mario Bros. Movie (2023)" produced by Illumination, Universal Studios, and Nintendo was spread around Discord. It was first spotted as a Cam (A camera recording by someone in theaters), then as it went out on streaming services a different link appeared but spread faster and with upgraded 1080p quality. Both used stolen.shoes as the embed site.

mario

  • The third instance is very recent as of the day this was posted. A streaming-service sourced "Five Nights at Freddy's (2023)" was spread around since the movie released both in theaters and streaming service (Peacock) day one, and it gained steam extremely fast as most people had not seen it yet. Currently, this illegal novelty is gaining hundreds of upvotes within the r/discordapp subreddit. The copy seems to be a compressed 720p encode. This example used discord.nfp.is.

fnaf

Note the ones listed here are the ones that I saw become extremely popular. There may be lesser known links that have been spread around privately or just did not cause enough noise for me to notice. Some less popular examples I've noticed, featuring more illicit copyrighted content distribution:

  • Top Gun Maverick (2022)
  • The SpongeBob trilogy (2005/2015/2020)
  • Spider-Man: Across the Spider-Verse (2023)

Closing

The ability to embed unusually large videos on Discord has enabled both positive and negative use cases. On the one hand, it allows high-quality content to be shared easily among friends. However, it has also facilitated mass copyright infringement by empowering virtually anyone with a Discord accound to freely spread pirated movies.

While this is fascinating from a technical perspective, embedding techniques like these tread a fine ethical line. As with anything, it is important to be mindful of how our actions affect others, and I should remind everyone that content creators deserve to be compensated for their work. As users, we should support them by accessing their content via legitimate platforms.

It is hard to say how long this exploit will continue to be usable. Instead of enabling piracy, which may cause Discord to be more likely to patch this exploit if they see it as a serious threat, let's instead use these capabilities responsibly to share our own creations, gaming highlights, and other media which we can share legally. Given some thoughtfulness, perhaps we can find a fair balance between respecting copyright law and appeasing Discord's sensibilities while allowing some creative flexibility on the platform.

Thank you for reading this blog post, I hope you learned something!