Discord desktop app vulnerability chain triggered remote code execution attacks

The critical security issue was reported via the chat app’s bug bounty program.

Cybersecurity: Top hackers make big money from bug bounties

Discord has patched a critical issue in the desktop version of the messaging app which left users vulnerable to remote code execution (RCE) attacks.  

Bug bounty hunter Masato Kinugawa developed an exploit chain leading to RCE several months ago and published a blog post over the weekend describing the technical details of the method, which combines multiple bugs.

The first security issue was found in Electron, the software framework used by the Discord desktop app. While the desktop app is not open source, the JavaScript code utilized by Electron -- an open source project for creating cross-platform apps able to harness JavaScript, HTML, and CSS -- was saved locally and could be extracted and examined. 

See also: Hackers exploit Windows Error Reporting service in new fileless attack

One of the settings in Discord's Electron build, "contextIsolation," was set to false, and this could allow JavaScript code outside of the app to influence internal code, such as the Node.js function. The feature was designed to introduce separate contexts between web pages and JavaScript code.

"This behavior is dangerous because Electron allows the JavaScript code outside web pages to use the Node.js features regardless [of] the nodeIntegration option and by interfering with them from the function overridden in the web page, it could be possible to achieve RCE even if the nodeIntegration is set to false," Kinugawa explained. 

Now, the researcher needed a way to execute JavaScript on the application, leading to the discovery of a cross-site scripting (XSS) issue in the iframe embed feature, used to display video in chat when a URL is posted, such as one from YouTube. 

This led Kinugawa to Sketchfab, a 3D content viewer. Sketchfab is whitelisted in Discord's content security policy and can be embedded in the iframe -- but a DOM-based XSS discovered in the embeds page could be abused. 

CNET: Best password manager to use for 2020: 1Password, LastPass and more compared

However, this only allowed the bug bounty hunter to execute JavaScript in the iframe, and so it still wasn't possible to achieve full RCE on the Discord desktop app. At least, not until Kinugawa came across a navigation restriction bypass in Electron's "will-navigate" event code. 

Tracked as CVE-2020-15174, this processing error, combined with the other two vulnerabilities, allowed Kinugawa to perform an RCE attack by circumventing navigation restrictions and using the iframe XSS bug to access a web page containing the RCE payload.   

Kinugawa reported his findings via Discord's Bug Bounty program. After the Discord team triaged the bugs and confirmed their validity, the developers disabled the Sketchfab embeds and added a sandbox attribute to the iframe.

TechRepublic: Professor creates cybersecurity camp to inspire girls to choose STEM careers

"After a while, the contextIsolation was enabled," the bug bounty hunter added. "Now even if I could execute arbitrary JavaScript on the app, RCE does not occur via the overridden JavaScript built-in methods."

Kinugawa was awarded $5,000 for his report by Discord, alongside $300 by the Sketchfab team for the disclosure of the XSS flaw, now patched. Electron's "will-navigate" issue has also been resolved.  

ZDNet has reached out to Discord and will update when we hear back.

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0