Discord Remote Code Execution Vulnerability Threat Intel Advisory

CloudSEK Threat Intelligence Advisory on Discord RCE vulnerability, achieved by chaining 3 security vulnerabilities, affects the web app.
Updated on
April 19, 2023
Published on
October 28, 2020
Read MINUTES
5
Subscribe to the latest industry news, threats and resources.
Advisory Type
Vulnerability Report
Application
Discord Chat 
Vulnerability 
Remote Code Execution (RCE) Chain
  The RCE vulnerability found in the VoIP, chatting platform Discord is exploited by chaining 3 vulnerabilities in Electron JS: 
  • Missing contextisolation
  • Cross-Site Scripting (XSS) in the ‘iframe embeds’ feature of Discord
  • Navigation restriction bypass (CVE-2020-15174)
Electron is an open source JavaScript framework used to develop the Graphical User Interface (GUI) of Discord. Since Discord has disabled contextisolation in its Electron code, any webpage JavaScript can tinker with the execution of Electron’s internal JS code leading to an RCE attack.[/vc_wp_text][vc_wp_text]

Exploitation of the vulnerability

The adversary exploits the XSS vulnerability in Discord’s ‘iframe embeds’ feature, to execute the JS code. For example: ‘iframe embeds’ automatically displays the video player on the Discord platform when one posts a YouTube URL. By exploiting the XSS vulnerability, the attacker executes arbitrary JS code in the browser. As a final step in the chaining process, a navigation restriction bypass - CVE-2020-15174 - is exploited to achieve RCE. Since Electron does not support Java code to be executed within the iframe, the attacker needs to leave the iframe and execute the JavaScript in a top-level browsing context. This requires opening a new window from the iframe, or navigating the top window to another URL from the iframe. As Discord has disabled Electron’s contextisolation, the Java code is executed by the application itself achieving RCE, thus compromising the user’s host environment.[/vc_wp_text][vc_wp_text]

Impact

Technical Impact:
  • Attackers can execute arbitrary Operating System commands on the victim's machine allowing them to compromise the host completely.
  • Exfiltration of data and creation of persistence to survive restarts enables remote access across the Internet.
  • The attacker can misuse details available on the device to further the attack against other potential targets or add the host to an existing botnet.
Business Impact:
  • Organisational security is affected if the victim is using VPN to connect to a remote corporate network.
  • Compromises the endpoint security of the businesses, giving attacker access to the internal corporate network.
[/vc_wp_text][vc_wp_text]

Mitigation 

All security issues have been patched by the Electron’s security team, few specifics are provided below:

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations