XSS Bugs in Discord
Discord is popularly used by gamers for communicating while playing. The desktop client of this platform was reported to have multiple bugs, which can be chained to achieve a full RCE attack. Discovered by Masato Kinugawa, his report initially details about Electron, a software framework used by the Discord desktop client. While the source code of Discord’s desktop client isn’t open, the JavaScript code used by Electron is. This was examined by Masato to find a setting called “contextIsolation” in its build, which was set to false. This allows the outside JavaScript code to impact the inside code, like the Node.js function. The next bug is in the Sketchfab, a 3D content viewer that’s used for displaying the video content in an iframe. This allows the users to share video URLs in the chats, and open there like the YouTube videos in a short window. While this partially allowed him in, he found a way to bypass the Electron’s “will-navigate“ event code. This processing issue tracked as CVE-2020-15174, along with the other two led Kinugawa to perform a successful RCE attack, and use the iframe XSS bug to procure the malware payload from a website. He was awarded $5,000 by Discord, and $300 by Sketchfab.