Do you prefer to use Discord’s desktop app?
Be aware because they have just patched a critical issue on this version that left users like you, vulnerable to RCE (remote code execution) attacks.
This security issue was first found in the software framework, Electron, where the Discord desktop app is built on.
Discord Desktop App is Vulnerable!
Masato Kinugawa (Bug bounty hunter) published on a blog post over the weekend, the technical details about an exploit chain he released to the RCE several months ago. The method combines multiple bugs in the mix.
It worked because while the desktop app is not open-source, the JavaScript code, utilized by Electron, is.
This open-source project is used to create cross-platform apps that are capable of harnessing JavaScript, HTML, and CSS. And this time, it was saved locally to be extracted and examined.
Discord’s Electron has a “contextlsolation” setting built inside, that when is set to false, it allows JavaScript code (outside of the app) to change the internal one, such as with the case of Node.js function.
This feature was originally designed to introduce different contexts between JavaScript code and website pages.
Masato Kinugawa explained that…
“This behavior is dangerous because Electron allows the JavaScript code outside web pages to use the Node.js features regardless [of] the nodeIntegration option and by interfering with them from the function overridden in the web page, it could be possible to achieve RCE even if the nodeIntegration is set to false.“
As a researcher, he needed some way to execute JavaScript over the application.
Here’s where he discovered a cross-site scripting (XSS) issue inside the iframe embed feature (the same used to display video in chat when a URL is posted). He chose Sketchfab (3D content Viewer) for the test.
The reason behind this is, that this tool is whitelisted in the content security policy (of Discord) so it means it can be embedded in the iframe — therefore, a DOM-based XSS in the embeds page could be abused.
At least, that’s what he believed could happen. The bug bounty hunter proceeded to execute JavaScript in the iframe, but it wasn’t possible to achieve full RCE.
Now, thanks to that realization, he came across the navigation restriction bypass in Electron’s event code: “will-navigate.”
This processing error, tracked as CVE-2020-15174, combined with the other two vulnerabilities, let Kinugawa perform the desired RCE attack by getting around the navigation restrictions.
The result? Accessing a web page containing the RCE payload, by using the iframe XSS bug.
“After a while, the contextIsolation was enabled. Now even if I could execute arbitrary JavaScript on the app, RCE does not occur via the overridden JavaScript built-in methods.“
Once the Discord team confirmed the bug’s validity, they (the developers) jumped to disable Sketchfab embeds. They also added a sandbox attribute to the iframe.
All findings were registered and reported via Discord’s Bug Bounty program.
Kinugawa was proudly awarded $5,000 for his report, alongside $300 by the Sketchfab team for disclosing the XSS flaw (which is now patched).
The Electron’s “will-navigate” issue has also been resolved.
Now, I wanted to ask you: have you ever considered using the Discord app (desktop or mobile) for your own business?
There are several reasons why you should use it. The main use: is free.
It may accelerate your desk help/customer support workflow. Even boost sales and retain currently-existing customers.
And don’t worry. This won’t probably happen to you.
But what you should be worried about, is what could occur to your own business’ infrastructure.
Is it well protected? Let’s hope you know how to answer that.
If you can’t answer or directly believe it’s not, then it means we have to talk.