The popular instant messaging and VoIP platform Discord had a vulnerability in its desktop app that was open to remote code execution (RCE) attacks. First revealed by bug bounty hunter Masato Kinugawa, the RCE could be exploited to take over the victim's computer.
Kinugawa first detected the vulnerability a few months ago and reported it via the Discord's bug bounty program. In the detailed description in his blog, he said the vulnerability was a combination of multiple bugs — missing contextIsolation, XSS in iframe embeds and navigation restriction bypass.
Two More Bugs
When the Japanese cybersecurity researcher checked the domains in the iframe, he found Sketchfab which enables 3D content viewing on web pages. While Sketchfab could be embedded in the iframe, he found a DOM (Document Object Model) based XSS vulnerability in the embed page that could be abused.