A security researcher has discovered a way of utilising multiple Discord security vulnerabilities in order to commit remote code execution (RCE) attacks. The exploit, which only affects the desktop version of the messaging app, allows attackers to access and run code remotely.
The vulnerabilities were discovered by Masato Kinugawa, a self-confessed bug hunter who reported the issues as soon as he could verify them. Discord acted swiftly to patch the flaws and an RCE attack no longer appears to be possible.
Bug bounty programs like those offered by Discord incentivize hackers to discover security flaws before they can be used for malicious ends. Often these initiatives come with guarantees that no legal action will follow and cash rewards are usually given.
Because of the complexity of the Discord RCE exploit, Sketchfab, a platform used to publish virtual reality content, and Electron, the software used to develop desktop GUI apps, also had to be informed of their respective bugs. Both of these have also now been patched.