A security researcher has discovered a way of utilising multiple Discord security vulnerabilities in order to commit remote code execution (RCE) attacks. The exploit, which only affects the desktop version of the messaging app, allows attackers to access and run code remotely.

The RCE made use of a complex bug chain that took advantage of the fact that Discord had disabled the ‘contextIsolation’ feature in its Electron build, allowing JavaScript code written outside the app to influence internal code. In addition, a cross-site scripting flaw and a navigation restriction bypass in Electron’s “will-navigate” event code were also utilised to make RCE possible.



Please enter your comment!
Please enter your name here