|Remote Code Execution (RCE) Chain|
- Missing contextisolation
- Cross-Site Scripting (XSS) in the ‘iframe embeds’ feature of Discord
- Navigation restriction bypass (CVE-2020-15174)
- Attackers can execute arbitrary Operating System commands on the victim's machine allowing them to compromise the host completely.
- Exfiltration of data and creation of persistence to survive restarts enables remote access across the Internet.
- The attacker can misuse details available on the device to further the attack against other potential targets or add the host to an existing botnet.
- Organisational security is affected if the victim is using VPN to connect to a remote corporate network.
- Compromises the endpoint security of the businesses, giving attacker access to the internal corporate network.
MitigationAll security issues have been patched by the Electron’s security team, few specifics are provided below:
- For user: Install updated version of Discord
- For developers: Security advisory for CVE-2020-15174 (https://github.com/electron/electron/security/advisories/GHSA-2q4g-w47c-4674)