Posted on October 19, 2020 at 1:02 PM
Discord’s desktop app was recently discovered to have a number of flaws, and that using them in the right way could lead to an RCE attack. Fortunately, the flaws were discovered as a part of a Bug Bounty program.
No program, app, or another type of software is perfect, and security researchers often end up discovering new flaws and vulnerabilities that need patching up. The most recent example is Discord, one of the most popular global messaging apps, which was revealed to have a critical issue.
The issue has been discovered by a bug bounty hunter, Masato Kinugawa, who created an exploit chain, leading to remote code execution (RCE) attacks. This took place several months ago.
However, he went public with the flaw over this past weekend, revealing all the technical details of the potential attack, which actually combines several bugs.
The first flaw
The first relevant flaw can be found in the software framework that Discord’s desktop app uses — Electron. As some may know, the Discord app is not open-source. However, the code that Electron uses is, and it can be examined by anyone.
The second flaw
This is a fun little feature that allows users to watch YouTube clips within Discord, and it is used on other social media platforms, as well. However, on Discord, it suffers from the XSS issue, which eventually led Kinugawa to a 3D content viewer, Ketchfab.
Now, Discord does allow Sketchfab. It is whitelisted in the app’s content security policy, and it can even be included in the iframe.
That’s when the bug bounty hunter discovered a third major problem.
The third flaw
In continuation of his research, Kinugawa discovered a navigation restriction bypass, and the fault once again emerged in Electron. This time, it was discovered in its will-navigate event code, and it is known as CVE-2020-15174.
Simply put, this is a processing error that can have some rather disastrous consequence if combined with the previous two vulnerabilities. By using a combination of the three, Kinugawa was able to successfully perform a full RCE attack.
He circumvented navigation restrictions, and then he used the XSS bug found in the iframe to access a foreign website, which had an RCE payload on it.
The flaws were patched and the attack is no longer possible
After confirming that the attack is, indeed, possible Kinugawa went to Discord, directly. He used the company’s Bug Bounty program to reveal the flaws and the method in which they can be utilized.
With the knowledge of what to look for, it did not take Discord’s team long to identify the bugs, confirm their validity, and eventually patch them up.
Developers first needed to disable Sketchfab embeds, and then they added a new, sandbox attribute.
Fortunately, it would appear that no other entity managed to identify this method of conducting RCE before the bug bounty hunter, so there were no incidents of this nature, as far as it is known. For his efforts, Kinugawa received $5.000 from Discord, and an additional $300 from Sketchfab, which was also notified of the XSS flawed.