Japanese bug bounty hunter Masato Kinugawa has found multiple vulnerabilities affecting the Discord Desktop app. Elaborating on his findings in a blog post, he explained how exploiting the bugs together could lead to remote code execution.
He found three different types of vulnerabilities that posed a threat to the users. The first of these was the disabled “contextisolation” setting in the app window that allowed RCE possibility. As he explained,
By default, nodeIntegration was also set to false in the app, thus allowing the attack.
The two bugs could together allow the execution of JS in the iframe only.
The researcher also found a third bug that expanded the attack surface to the app. Specifically, he found a navigation restriction bypass (CVE-2020-15174) that, together with the above two, allowed RCE attacks.
The following video demonstrates the exploit.
Upon discovering the flaws, the researcher reached out to Discord via their bug bounty program.
Explaining the fixes, he stated,
Whereas, for the third bug, Discord released the fix with Electron NPM – 11.0.0-beta.1, 10.0.1, 9.3.0, 8.5.1. Also, they described a workaround in their advisory,
Sandbox all your iframes using the sandbox attribute. This will prevent them creating top-frame navigations and is good practice anyway.
For his findings, Kinugawa received $5,000 from Discord and $300 from Sketchfab.