Discord has patched a critical issue in the desktop version of the messaging app which left users vulnerable to remote code execution (RCE) attacks.
Bug bounty hunter Masato Kinugawa developed an exploit chain leading to RCE several months ago and published a blog post[1] over the weekend describing the technical details of the method, which combines multiple bugs.
The first security issue was found in Electron[2], the software framework used by the Discord desktop app. While the desktop app is not open source, the JavaScript code utilized by Electron -- an open source project for creating cross-platform apps able to harness JavaScript, HTML, and CSS -- was saved locally and could be extracted and examined.
See also: Hackers exploit Windows Error Reporting service in new fileless attack[3]
One of the settings in Discord's Electron build, "contextIsolation," was set to false, and this could allow JavaScript code outside of the app to influence internal code, such as the Node.js function. The feature was designed to introduce separate contexts between web pages and JavaScript code.
"This behavior is dangerous because Electron allows the JavaScript code outside web pages to use the Node.js features regardless [of] the nodeIntegration option and by interfering with them from the function overridden in the web page, it could be possible to achieve RCE even if the nodeIntegration is set to false," Kinugawa explained.
Now, the researcher needed a way to execute JavaScript on the application, leading to the discovery of a cross-site scripting (XSS) issue in the iframe embed feature, used to display video in chat when a URL is posted, such as one from YouTube.
This led Kinugawa to Sketchfab, a 3D content viewer. Sketchfab is whitelisted in Discord's content security policy