Discord has patched a crucial subject within the desktop model of the messaging app which left customers susceptible to distant code execution (RCE) assaults.
Bug bounty hunter Masato Kinugawa developed an exploit chain resulting in RCE a number of months in the past and revealed a blog post over the weekend describing the technical particulars of the tactic, which mixes a number of bugs.
See additionally: Hackers exploit Home windows Error Reporting service in new fileless assault
This led Kinugawa to Sketchfab, a 3D content material viewer. Sketchfab is whitelisted in Discord’s content material safety coverage and could be embedded within the iframe — however a DOM-based XSS found within the embeds web page might be abused.
Tracked as CVE-2020-15174, this processing error, mixed with the opposite two vulnerabilities, allowed Kinugawa to carry out an RCE assault by circumventing navigation restrictions and utilizing the iframe XSS bug to entry an internet web page containing the RCE payload.
Kinugawa reported his findings by way of Discord’s Bug Bounty program. After the Discord crew triaged the bugs and confirmed their validity, the builders disabled the Sketchfab embeds and added a sandbox attribute to the iframe.
Kinugawa was awarded $5,000 for his report by Discord, alongside $300 by the Sketchfab crew for the disclosure of the XSS flaw, now patched. Electron’s “will-navigate” subject has additionally been resolved.
ZDNet has reached out to Discord and can replace once we hear again.
Earlier and associated protection
Have a tip? Get in contact securely by way of WhatsApp | Sign at +447713 025 499, or over at Keybase: charlie0