Discord squashes critical Electron bugs: open source attacks continue to grow

My colleague has two kids, ages 9 and 12.  Since the COVID lockdowns they have been playing more online games and each of them use Discord to chat with their friends during gameplay.  Did my colleague or the millions of other Discord users think that vulnerabilities in open source libraries used in the application could result in a takeover of their machines? 

Discord, an Instant Messaging (IM) and VoIP app popular among the gaming community, recently patched a set of critical vulnerabilities that could allow a skilled attacker to gain Remote Code Execution (RCE) privileges on the users’ Desktop app.

Although licensed as a freeware proprietary application, Discord is built with open source libraries, not unlike most applications today. One such library is NodeJS-based Electron framework.

What makes the news around this event particularly interesting is that by exploiting a set of small isolated vulnerabilities, that individually seem trivial, Japanese security researcher Masato Kinugawa was able to achieve full-on remote code execution capability on a user’s system running the Discord Desktop app.

Through responsible disclosure of these flaws, Kinugawa also collected $5,300 in bug bounties.

Context Isolation and Framebusting vulnerabilities

Discord app is built with the Electron framework. 

Electron is an appealing choice among developers because, other than being open source, the framework empowers creators to build cross-platform GUI apps using web technologies they are already familiar with: HTML, JavaScript (JS), and CSS.

This cuts the overhead of learning another UI framework from scratch, let alone debugging it.

The popularity of electron among the developer community is probably also a reason as to why it was recently capitalized by typosquatting malware “electorn,” as discovered by Sonatype (more on that later).

The actual vulnerabilities that Kinugawa was able to exploit in conjunction — a concept (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Ax Sharma. Read the original post at: