Recently, Discord has issued a patch for a critical issue in the desktop version of their messaging app. This critical issue left users exposed to remote code execution (RCE) through the HTML iFrame used to preview links or videos shared in Discord. In a writeup published by bug bounty hunter Masato Kinugawa, a chain of exploits was created that allowed Kinugawa to inject and execute javascript inside the app itself. After reporting it to Discord, Kinugawa was awarded $5,000 USD for his find.
Analyst Notes
As Discord has issued a patch, Binary Defense recommends updating all Discord desktop clients as soon as possible. Additionally, Binary Defense recommends employing a 24/7 SOC monitoring solution, such as Binary Defense’s Security Operations Task Force, in order to catch RCE attempts like this one.
https://www.zdnet.com/article/discord-desktop-app-vulnerable-to-remote-code-execution-bug/