![]() ![]() We began this work in April shortly after we worked out all the quirks required to upgrade to Electron 7 which is when contextBridge would be available for us to turn on contextIsolation. For example, due to the way that objects needed to be cloned to pass through the bridge, the internal APIs that existed needed to be entirely reworked, as they were not really compatible with this model. ![]() ![]() Thanks to the detailed report, we were able to go from a report to a fix deployed to stable in ~40 minutes!įollowing that, the next day we deployed a better update as we understood more about the issue (which was the sandbox attribute on the iframe.) In addition, we also paid out $5,000 for this bounty, even though the main fault that lead to RCE was due to a bug in Electron (CVE-2020-15174) which allowed for a bypass of our CSP, by allowing the main window to be navigated to a different domain.Īs for context isolation, a lot of the code that had been written was not compatible with contextIsolation - and required significant work to refactor. Hi all! Discord Employee here that was involved in the remediation of this exploit! I just wanted to clarify with a timeline, and explanation as to why we had context isolation disabled!ĩ:21 PM on Jwe received a very detailed report from Masato outlining this exploit.ĩ:34 PM: Ticket acknowledged - and we began a deploy that would disable sketchfab embeds within the app, to remediate this known attack vector.ġ0:00 PM: Update pushed to stable to disable all existing sketchfab embeds. ![]()
0 Comments
Leave a Reply. |