Discord’s Desktop Version had a Critical Flaw that Enabled RCE Attacks

Discord’s desktop app was recently discovered to have a number of flaws, and that using them in the right way could lead to an RCE attack. Fortunately, the flaws were discovered as a part of a Bug Bounty program.

No program, app, or another type of software is perfect, and security researchers often end up discovering new flaws and vulnerabilities that need patching up. The most recent example is Discord, one of the most popular global messaging apps, which was revealed to have a critical issue.

The issue has been discovered by a bug bounty hunter, Masato Kinugawa, who created an exploit chain, leading to remote code execution (RCE) attacks. This took place several months ago.

However, he went public with the flaw over this past weekend, revealing all the technical details of the potential attack, which actually combines several bugs.

The first relevant flaw can be found in the software framework that Discord’s desktop app uses — Electron. As some may know, the Discord app is not open-source. However, the code that Electron uses is, and it can be examined by anyone.

In doing so, the bug bounty hunter found that one of the settings in the Electron build was set to false. The setting in question is ‘contextIsolation.’ and it being false means that JavaScript code outside of the app can influence the one on the inside.

According to Kinugawa, this is dangerous , since Electron allows JavaScript code too much influence. Basically, the code outside of web pages could use the Node.js features on the inside, and interfere with them.

The next issue was how to execute JavaScript on the app itself, which led him to the discovery of another problem — the cross-site scripting (XSS) issue. The issue can be found in the iframe ember feature, which the app uses to show videos in chat when the user posts URLs from elsewhere on the internet.

This is a fun little feature that allows users to watch YouTube clips within Discord, and it is used on other social media platforms, as well. However, on Discord, it suffers from the XSS issue, which eventually led Kinugawa to a 3D content viewer, Ketchfab.

Now, Discord does allow Sketchfab. It is whitelisted in the app’s content security policy, and it can even be included in the iframe.

However, the problem lies in the fact that DOM-based XSS can be abused and misused. In his tests, Kinugawa only managed to execute JavaScript within the iframe itself. Meaning that this issue alone was still not enough to reach the full RCE.

That’s when the bug bounty hunter discovered a third major problem .

In continuation of his research, Kinugawa discovered a navigation restriction bypass, and the fault once again emerged in Electron. This time, it was discovered in its will-navigate event code, and it is known as CVE-2020-15174.

Simply put, this is a processing error that can have some rather disastrous consequence if combined with the previous two vulnerabilities. By using a combination of the three, Kinugawa was able to successfully perform a full RCE attack.

He circumvented navigation restrictions, and then he used the XSS bug found in the iframe to access a foreign website, which had an RCE payload on it.

After confirming that the attack is, indeed, possible Kinugawa went to Discord, directly. He used the company’s Bug Bounty program to reveal the flaws and the method in which they can be utilized.

With the knowledge of what to look for, it did not take Discord’s team long to identify the bugs, confirm their validity, and eventually patch them up.

Developers first needed to disable Sketchfab embeds, and then they added a new, sandbox attribute.

The bug bounty kept monitoring the changes, and in his blog post, he noted that the contextIsolation was enabled after a while. RCE now cannot be achieved, even if an attacker were to execute arbitrary JavaScript on the app.

Fortunately, it would appear that no other entity managed to identify this method of conducting RCE before the bug bounty hunter, so there were no incidents of this nature, as far as it is known. For his efforts, Kinugawa received $5.000 from Discord, and an additional $300 from Sketchfab, which was also notified of the XSS flawed.