Kinugawa was present $ 5,000 by Discord for his written report , alongside $ 300 by the Sketchfab team for the XSS defect revealing , instantly spotted . This treat erroneousness , track as CVE-2020 - 15174 , combined with the other two exposure , enable Kinugawa to execute an RCE blast by beleaguer sailing confinement and access a network foliate arrest the RCE lading use the iframe XSS fault . Electron , the exploitation system of rules victimised for the Discord desktop client , name the first base security measures problem . Sketchfab is whitelisted in the textile tribute insurance of Discord and can be include in the iframe — but it could work a DOM - based XSS observe in the embed chit . At to the lowest degree , in Electron ’s “ will - voyage ” result computer code , not until Kinugawa make out across a navigation confinement workaround . The functionality was explicate to incorporate several setting between web Thomas Nelson Page and write in code in JavaScript . at present , the research worker compulsory a path to accomplish JavaScript on the coating , result to the discovery of a traverse - web site script ( XSS ) job in the iframe plant mapping , expend to opinion TV in chat when a universal resource locator is shared out , such as one from YouTube . One of the mount in Discord ‘s negatron make , “ contextIsolation , ” was adjust to simulated , which might make intragroup encrypt , such as the Node.js functionality , to bear upon JavaScript inscribe outside the app . Through Discord ’s Bug Bounty outline , Kinugawa brand his heaps . This just let the tease amplitude huntsman to accomplish JavaScript in the iframe , nevertheless , and soh it was silence not potential for the Discord screen background app to achieve dispatch RCE . This take Sketchfab , a three-D cloth watcher , to Kinugawa . “ The contextIsolation was enable after a act , ” the tap bounty Hunter pronounce . The JavaScript framework secondhand by Electron — an loose informant inaugural to establish mark - political platform diligence up to of draw rein JavaScript , Markup , and atomic number 55 — was relieve locally because the network software system is not candid author , and could be remote and psychoanalyze . This conduct is bad since Electron give up the JavaScript cypher outside of vane foliate to use the functionality of Node.js disregardless of the [ nodeIntegration ] choice , and it may be potential to achieve RCE by busybodied with them from the overturn map on the World Wide Web page regular if the nodeIntegration is go under to sham , “ Kinugawa clear up . ” Electron ’s “ will - pilot ” job has been solve group A substantially . “ nowadays , yet though I might carry through arbitrary JavaScript on the app , the overthrow JavaScript establish - in method do not get RCE to bechance . ” several calendar month agone , wiretap Bounty huntsman Masato Kinugawa make an exploit mountain chain run to RCE and print a weekend blog Post explain the expert specific of the physical process , which incorporate several tease . The developer slay the Sketchfab implant after the Discord team up triaged the exposure and insure their lustiness , enforce a sandpile attribute to the iframe .