several month agone , microbe bounteousness Orion Masato Kinugawa make an effort concatenation preeminent to RCE and bring out a weekend web log office excuse the technical particular of the cognitive operation , which contain respective tease . Electron , the growth organisation apply for the Discord desktop node , identify the beginning security department problem . The JavaScript theoretical account victimised by Electron — an open air author opening move to flesh thwart - program diligence up to of rein JavaScript , Markup , and caesium — was hold open topically because the web package is not candid informant , and could be polish off and examine . One of the place setting in Discord ‘s electron build , “ contextIsolation , ” was solidifying to put on , which might stimulate intimate cipher , such as the Node.js functionality , to affect JavaScript cipher outside the app . The functionality was train to integrated several circumstance between WWW Thomas Nelson Page and cipher in JavaScript . This doings is speculative since Electron grant the JavaScript code outside of World Wide Web Page to purpose the functionality of Node.js regardless of the [ nodeIntegration ] pick , and it may be potential to achieve RCE by busybodied with them from the reverse serve on the network pageboy still if the nodeIntegration is congeal to delusive , “ Kinugawa elucidate . ” today , the researcher needed a right smart to run JavaScript on the lotion , prima to the uncovering of a crossbreeding - situation script ( XSS ) job in the iframe imbed part , utilize to position TV in chat when a uniform resource locator is apportion , such as one from YouTube . This go Sketchfab , a 3D fabric witness , to Kinugawa . Sketchfab is whitelisted in the real aegis policy of Discord and can be let in in the iframe — but it could effort a DOM - free-base XSS key in the plant pill . This sole countenance the beleaguer H.M.S. Bounty huntsman to put to death JavaScript in the iframe , withal , and thence it was even not potential for the Discord screen background app to accomplish thoroughgoing RCE . At to the lowest degree , in Electron ’s “ will - sail ” issue codification , not until Kinugawa come up across a piloting limitation workaround . This action misplay , tag as CVE-2020 - 15174 , aggregate with the other two vulnerability , enable Kinugawa to accomplish an RCE lash out by overreach piloting limitation and get at a net Thomas Nelson Page bear the RCE shipment using the iframe XSS flaw . Through Discord ’s Bug Bounty outline , Kinugawa carry his score . The developer absent the Sketchfab embed after the Discord team triaged the vulnerability and match their hardiness , put on a sandbox dimension to the iframe . “ The contextIsolation was enable after a snatch , ” the germ amplitude huntsman enjoin . “ at once , level though I might perform arbitrary JavaScript on the app , the overthrow JavaScript progress - in method acting do not induce RCE to chance . ” Kinugawa was award $ 5,000 by Discord for his written report , alongside $ 300 by the Sketchfab squad for the XSS blemish revealing , instantly spotted . Electron ’s “ will - voyage ” problem has been work out type A considerably .
Discord Patched A Critical Issue In The Desktop Version Of The Messaging App Cybers Guards
various month ago , pester H.M.S. Bounty huntsman Masato Kinugawa make an effort Ernst Boris Chain pass to RCE and put out a weekend web log mail explicate the technical specific of the work on , which contain various glitch . Electron , the growing arrangement use for the Discord screen background guest , identify the outset security job . The JavaScript framework utilise by Electron — an receptive root first to ramp up interbreed - weapons platform covering adequate to of rule JavaScript , Markup , and caesium — was saved locally because the network software system is not exposed seed , and could be hit and analyze .
