Discord has patched a critical issue in the desktop version of the messaging app which left users vulnerable to remote code execution (RCE) attacks.
Bug bounty hunter Masato Kinugawa developed an exploit chain leading to RCE several months ago and published a blog post over the weekend describing the technical details of the method, which combines multiple bugs.
See also: Hackers exploit Windows Error Reporting service in new fileless attack
This led Kinugawa to Sketchfab, a 3D content viewer. Sketchfab is whitelisted in Discord's content security policy and can be embedded in the iframe -- but a DOM-based XSS discovered in the embeds page could be abused.
CNET: Best password manager to use for 2020: 1Password, LastPass and more compared
Tracked as CVE-2020-15174, this processing error, combined with the other two vulnerabilities, allowed Kinugawa to perform an RCE attack by circumventing navigation restrictions and using the iframe XSS bug to access a web page containing the RCE payload.
Kinugawa reported his findings via Discord's Bug Bounty program. After the Discord team triaged the bugs and confirmed their validity, the developers disabled the Sketchfab embeds and added a sandbox attribute to the iframe.
TechRepublic: Professor creates cybersecurity camp to inspire girls to choose STEM careers
Kinugawa was awarded $5,000 for his report by Discord, alongside $300 by the Sketchfab team for the disclosure of the XSS flaw, now patched. Electron's "will-navigate" issue has also been resolved.
ZDNet has reached out to Discord and will update when we hear back.
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0