A bug hunter has found several issues in the Discord’s desktop client, which can be chained together to perform a successful RCE and XSS attack. These were reported and solved, resulting in warnings to users for updating their clients, and rewards to the discoverer from Discord and other tool makers.
Discord Desktop Client Bugs
Discord’s desktop client uses a number of elements to work, and all need to be secured. But, a bug hunter named Masato Kinugawa has discovered issues in three elements used by the Discord in its desktop app, letting him inject malicious code and eventually run an XSS attack. This started with Electron – the framework which is used by Discord to draw its UI.
Since the source code of Electron is open-source, Kinugawa has examined the code to find out an interesting setting called “contextIsolation”, which was set to false, leading its code (which is external) to influence the internal code of Discord. While this is used for separating contexts between web pages and JavaScript code, it can alter the internal Node.js features.
In his blog post, Kinugawa said that “This behavior is dangerous because Electron allows the JavaScript code outside web pages to use the Node.js features regardless [of] the nodeIntegration option and by interfering with them from the function overridden in the web page, it could be possible to achieve RCE even if the nodeIntegration is set to false.”
As he found that he can alter internal elements, he now needs to find a way inside. This is when he came across the XSS bug in the iframe, an embedding feature to display videos in Discord’s chat. He further steered to Sketchfab, a 3D content viewer to discover a DOM-based XSS issue in it. This led him to abuse the embed pages through iframe.
While this permitted him to inject JavaScript into an iframe, he needs a better way to perform full RCE. Gladly, he found a processing error in the Electron’s “will-navigate” event code, which led him to bypass the navigation restriction and achieve RCE attack.
Kinugawa has reported all these findings to Discord months back and finally published the details over the weekend. He bugs were identified as critical and rewarded $5,000 from Discord, and another $300 from the Sketchfab team. Bugs in Electron and Sketchfab are now solved.
Other Trending News:- News
