A bug hunter has found a way to execute remote code in Discord’s desktop client and was awarded $5,000 for that discovery. His revealing, now patched, describe bugs in various features of the Discord app and needed to be chained to gain a cross-site scripting attack. This was reported to Discord earlier this year and revealed publicly now.
XSS Bugs in Discord
Discord is popularly used by gamers for communicating while playing. The desktop client of this platform was reported to have multiple bugs, which can be chained to achieve a full RCE attack. Discovered by Masato Kinugawa, his report initially details about Electron, a software framework used by the Discord desktop client.
While the source code of Discord’s desktop client isn’t open, the JavaScript code used by Electron is. This was examined by Masato to find a setting called “contextIsolation” in its build, which was set to false. This allows the outside JavaScript code to impact the inside code, like the Node.js function.
Kinugawa said, “This behavior is dangerous because Electron allows the JavaScript code outside web pages to use the Node.js features regardless [of] the nodeIntegration option and by interfering with them from the function overridden in the web page, it could be possible to achieve RCE even if the nodeIntegration is set to false.”
The next bug is in the Sketchfab, a 3D content viewer that’s used for displaying the video content in an iframe. This allows the users to share video URLs in the chats, and open there like the YouTube videos in a short window. While this partially allowed him in, he found a way to bypass the Electron’s “will-navigate“ event code.
This processing issue tracked as CVE-2020-15174, along with the other two led Kinugawa to perform a successful RCE attack, and use the iframe XSS bug to procure the malware payload from a website. He was awarded $5,000 by Discord, and $300 by Sketchfab.
