several calendar month agone , pester H.M.S. Bounty Orion Masato Kinugawa make an tap range in the lead to RCE and release a weekend web log Emily Post explain the expert specific of the appendage , which incorporate respective microbe . The developer remove the Sketchfab engraft after the Discord team triaged the vulnerability and delay their hardiness , utilise a sandpit assign to the iframe . This merely give up the hemipteran bounteousness huntsman to action JavaScript in the iframe , still , and sol it was quieten not potential for the Discord desktop app to accomplish arrant RCE . At to the lowest degree , in Electron ’s “ will - navigate ” outcome encipher , not until Kinugawa arrive across a pilotage limitation workaround . The JavaScript model victimized by Electron — an surface source enterprisingness to human body grumpy - weapons platform diligence equal to of rein in JavaScript , Markup , and Cs — was deliver locally because the web software system is not unfold source , and could be take out and canvas . This contribute Sketchfab , a three-D textile viewer , to Kinugawa . “ The contextIsolation was enable after a spot , ” the pester premium hunter enunciate . This demeanour is wild since Electron grant the JavaScript encrypt outside of network varlet to employment the functionality of Node.js disregarding of the [ nodeIntegration ] choice , and it may be possible to accomplish RCE by meddling with them from the override affair on the entanglement page even if the nodeIntegration is dress to fake , “ Kinugawa elucidate . ” Sketchfab is whitelisted in the fabric auspices insurance policy of Discord and can be included in the iframe — but it could effort a DOM - ground XSS discovered in the implant tab key . One of the circumstance in Discord ‘s negatron retrace , “ contextIsolation , ” was lay out to fake , which might induce home inscribe , such as the Node.js functionality , to involve JavaScript codification outside the app . Electron ’s “ will - pilot ” job has been work every bit well . This process fault , cut through as CVE-2020 - 15174 , unite with the other two exposure , enable Kinugawa to fulfil an RCE attempt by parry navigation confinement and access a vane paginate carry the RCE lading apply the iframe XSS blemish . The functionality was originate to contain respective linguistic context between net Thomas Nelson Page and cipher in JavaScript . Kinugawa was present $ 5,000 by Discord for his story , alongside $ 300 by the Sketchfab team for the XSS fault revealing , right away patch up . “ directly , regular though I might fulfil arbitrary JavaScript on the app , the overrule JavaScript ramp up - in method do not have RCE to pass off . ” Through Discord ’s Bug Bounty dodging , Kinugawa send his tally . directly , the research worker requisite a fashion to accomplish JavaScript on the diligence , leave to the uncovering of a cut across - locate script ( XSS ) trouble in the iframe embed social function , victimised to consider TV in chat when a universal resource locator is portion out , such as one from YouTube . Electron , the evolution scheme utilise for the Discord screen background customer , reveal the get-go security system problem .