A bug hunter has found several issues in the Discord’s desktop client, which can be chained together to perform a successful RCE and XSS attack. These were reported and solved, resulting in warnings to users for updating their clients, and rewards to the discoverer from Discord and other tool makers.
Discord Desktop Client Bugs
Discord’s desktop client uses a number of elements to work, and all need to be secured. But, a bug hunter named Masato Kinugawa has discovered issues in three elements used by the Discord in its desktop app, letting him inject malicious code and eventually run an XSS attack. This started with Electron – the framework which is used by Discord to draw its UI.
As he found that he can alter internal elements, he now needs to find a way inside. This is when he came across the XSS bug in the iframe, an embedding feature to display videos in Discord’s chat. He further steered to Sketchfab, a 3D content viewer to discover a DOM-based XSS issue in it. This led him to abuse the embed pages through iframe.
Kinugawa has reported all these findings to Discord months back and finally published the details over the weekend. He bugs were identified as critical and rewarded $5,000 from Discord, and another $300 from the Sketchfab team. Bugs in Electron and Sketchfab are now solved.
Other Trending News:- News