In the desktop edition of the chat software, Discord has solved a crucial problem that has left users vulnerable to remote code execution (RCE) attacks.
Several months ago, bug bounty hunter Masato Kinugawa created an exploit chain leading to RCE and published a weekend blog post explaining the technical specifics of the process, which incorporates several bugs.
This led Sketchfab, a 3D material viewer, to Kinugawa. Sketchfab is whitelisted in the material protection policies of Discord and can be included in the iframe — but it could exploit a DOM-based XSS discovered in the embeds tab.
This processing error, tracked as CVE-2020-15174, combined with the other two vulnerabilities, enabled Kinugawa to execute an RCE attack by circumventing navigation restrictions and accessing a web page containing the RCE payload using the iframe XSS flaw.
Through Discord’s Bug Bounty scheme, Kinugawa posted his scores. The developers removed the Sketchfab embeds after the Discord team triaged the vulnerabilities and checked their validity, applying a sandbox attribute to the iframe.
Kinugawa was awarded $5,000 by Discord for his report, alongside $300 by the Sketchfab team for the XSS flaw disclosure, now patched. Electron’s “will-navigate” problem has been solved as well.