Discord has patched a critical issue in the desktop version of the messaging app which left users vulnerable to remote code execution (RCE) attacks.
Bug bounty hunter Masato Kinugawa developed an exploit chain leading to RCE several months ago and published a blog post over the weekend describing the technical details of the method, which combines multiple bugs.
This led Kinugawa to Sketchfab, a 3D content viewer. Sketchfab is whitelisted in Discord's content security policy and can be embedded in the iframe -- but a DOM-based XSS discovered in the embeds page could be abused.
Tracked as CVE-2020-15174, this processing error, combined with the other two vulnerabilities, allowed Kinugawa to perform an RCE attack by circumventing navigation restrictions and using the iframe XSS bug to access a web page containing the RCE payload.
Kinugawa reported his findings via Discord's Bug Bounty program. After the Discord team triaged the bugs and confirmed their validity, the developers disabled the Sketchfab embeds and added a sandbox attribute to the iframe.
Kinugawa was awarded $5,000 for his report by Discord, alongside $300 by the Sketchfab team for the disclosure of the XSS flaw, now patched. Electron's "will-navigate" issue has also been resolved.
ZDNet has reached out to Discord and will update when we hear back.
Previous and related coverage
- Adobe patches Magento bugs that lead to code execution, customer list tampering
- Code execution, defense evasion are top tactics used in critical attacks against corporate endpoints
- SigRed: A 17-year-old 'wormable' vulnerability for hijacking Microsoft Windows Server
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0