A bug hunter has found a way to execute remote code in Discord’s desktop client and was awarded $5,000 for that discovery. His revealing, now patched, describe bugs in various features of the Discord app and needed to be chained to gain a cross-site scripting attack. This was reported to Discord earlier this year and revealed publicly now.
XSS Bugs in Discord
Discord is popularly used by gamers for communicating while playing. The desktop client of this platform was reported to have multiple bugs, which can be chained to achieve a full RCE attack. Discovered by Masato Kinugawa, his report initially details about Electron, a software framework used by the Discord desktop client.
The next bug is in the Sketchfab, a 3D content viewer that’s used for displaying the video content in an iframe. This allows the users to share video URLs in the chats, and open there like the YouTube videos in a short window. While this partially allowed him in, he found a way to bypass the Electron’s “will-navigate“ event code.
This processing issue tracked as CVE-2020-15174, along with the other two led Kinugawa to perform a successful RCE attack, and use the iframe XSS bug to procure the malware payload from a website. He was awarded $5,000 by Discord, and $300 by Sketchfab.