Skip to main content

Discord has patched a critical security issue

(Image credit: Shutterstock / Konstantin Savusia)
Audio player loading…

A security researcher has discovered a way of utilising multiple Discord security vulnerabilities in order to commit remote code execution (RCE) attacks. The exploit, which only affects the desktop version of the messaging app, allows attackers to access and run code remotely.

The RCE made use of a complex bug chain that took advantage of the fact that Discord had disabled the ‘contextIsolation’ feature in its Electron build, allowing JavaScript code written outside the app to influence internal code. In addition, a cross-site scripting flaw and a navigation restriction bypass in Electron's "will-navigate" event code were also utilised to make RCE possible.

The vulnerabilities were discovered by Masato Kinugawa, a self-confessed bug hunter who reported the issues as soon as he could verify them. Discord acted swiftly to patch the flaws and an RCE attack no longer appears to be possible.

Bug bounty

“These issues were reported through Discord's Bug Bounty Program,” Kinugawa explained via his security blog. “First, the Discord team disabled the Sketchfab embeds, and a workaround was taken to prevent navigation from the iframe by adding the sandbox attribute to the iframe. After a while, the contextIsolation was enabled. Now even if I could execute arbitrary JavaScript on the app, RCE does not occur via the overridden JavaScript built-in methods. I received $5,000 as a reward for this discovery.”

Bug bounty programs like those offered by Discord incentivize hackers to discover security flaws before they can be used for malicious ends. Often these initiatives come with guarantees that no legal action will follow and cash rewards are usually given.

Because of the complexity of the Discord RCE exploit, Sketchfab, a platform used to publish virtual reality content, and Electron, the software used to develop desktop GUI apps, also had to be informed of their respective bugs. Both of these have also now been patched.

Via ZDNet