Do you prefer to use Discord’s desktop app?
Be aware because they have just patched a critical issue on this version that left users like you, vulnerable to RCE (remote code execution) attacks.
This security issue was first found in the software framework, Electron, where the Discord desktop app is built on.
Discord Desktop App is Vulnerable!
Masato Kinugawa (Bug bounty hunter) published on a blog post over the weekend, the technical details about an exploit chain he released to the RCE several months ago. The method combines multiple bugs in the mix.
Masato Kinugawa explained that…
Here’s where he discovered a cross-site scripting (XSS) issue inside the iframe embed feature (the same used to display video in chat when a URL is posted). He chose Sketchfab (3D content Viewer) for the test.
The reason behind this is, that this tool is whitelisted in the content security policy (of Discord) so it means it can be embedded in the iframe — therefore, a DOM-based XSS in the embeds page could be abused.
Now, thanks to that realization, he came across the navigation restriction bypass in Electron’s event code: “will-navigate.”
This processing error, tracked as CVE-2020-15174, combined with the other two vulnerabilities, let Kinugawa perform the desired RCE attack by getting around the navigation restrictions.
The result? Accessing a web page containing the RCE payload, by using the iframe XSS bug.
Once the Discord team confirmed the bug’s validity, they (the developers) jumped to disable Sketchfab embeds. They also added a sandbox attribute to the iframe.
All findings were registered and reported via Discord’s Bug Bounty program.
Kinugawa was proudly awarded $5,000 for his report, alongside $300 by the Sketchfab team for disclosing the XSS flaw (which is now patched).
The Electron’s “will-navigate” issue has also been resolved.
Now, I wanted to ask you: have you ever considered using the Discord app (desktop or mobile) for your own business?
There are several reasons why you should use it. The main use: is free.
It may accelerate your desk help/customer support workflow. Even boost sales and retain currently-existing customers.
And don’t worry. This won’t probably happen to you.
But what you should be worried about, is what could occur to your own business’ infrastructure.
Is it well protected? Let’s hope you know how to answer that.
If you can’t answer or directly believe it’s not, then it means we have to talk.