I wonder what's with the sudden reach out?

ref:

• Improper Electron Security Practices powercord-org/powercord#386
• AryToNeX/Glasscord#56
• Improper Electron Security Practices joe27g/EnhancedDiscord#143
• Improper Electron Security Practices leovoel/BeautifulDiscord#94

If someone finds XSS in Discord, that's Discord's fault.

I think it's important to state that these security prefs are disabled on purpose to give freedom to plugins and themes.

Sure, we could enable them back on, but that would have to come with major trade-offs that doesn't seem to be worth doing to an existing client mod.

The label is from the issue template.

I think playing the blame game isn't the right thing to do here, please calm down.

@cookie1599 @Sagishii @SpicyTakis offtopic comments are unnecessary and clutter the issue. Please refrain from doing this.

Seriously... If Discord wanted to be at least somewhat secure, they'd install into %ProgramFiles%

Discord packages for Linux do install it system-wide (thanks to the package maintainers).
Injections are still possible because Discord then installs its modules locally for the user.
At least, as a result of the system-wide installation method, (some) auto-updates are disabled.

@night Are you writing on behalf of Discord or as a side project developer?

There's lots Discord can do to help client modifications and make these security problems a non issue. Instead you create GitHub issues across all the popular client mods as if they can work around these problems without major drawbacks.

Maybe if you worked more as a company with client modifications you wouldn't have to worry about these issues.

@night I find it hard to believe that you, an employee of Discord, are trying to "help" in fixing security issues in applications that break the TOS.

What is your goal here?

Seriously... If Discord wanted to be at least somewhat secure, they'd install into %ProgramFiles% (like Skype does) instead of some random location where literally any application run with normal user privileges can mess with it. Note that Discord's forced auto-updates at application startup can also inject code at will. The machine is compromised long before any v8 context isolation would happen.

Discord does have improvements planned for downloading and updating, but I just want to highlight that these are completely different attack vectors.

Discord's app displays a remote website which is being given direct access to remotely execute code by this software. In an example attack scenario, arbitrary user data which somehow gets access to run JavaScript would essentially be a 0-day. To exploit app updates, Discord's distribution channels would need to be forced to serve an exploit. Given the attack surfaces listed, the former is more likely to occur since user-generated content is accessible from clients and there is much more surface area for attack.

Arguing that all security should go out the window because of us installing to AppData is also a pretty irresponsible way of thinking as a developer. Security is built in layers, with the end goal being that the attack surface area is sufficiently reduced. It is everyone's job to think about security.

I think it's important to state that these security prefs are disabled on purpose to give freedom to plugins and themes.

Sure, we could enable them back on, but that would have to come with major trade-offs that doesn't seem to be worth doing to an existing client mod.

It's unfortunate that you believe security and client mods to be mutually exclusive. While making a client mod work properly in a sandboxed environment will require some amount of work, the end result here is for the benefit of users. If you have specific questions regarding Electron I can try to offer you direction/advice, but all of the listed security issues are usually solvable problems.

If you have specific questions regarding Electron I can try to offer you direction/advice, but all of the listed security issues are usually solvable problems

It's a public repo, feel free to contribute

I understand.

While I'm not sure some of these are possible for us to do at the moment, like:

• Disabling Node integration, since the beginning our code has been running off a <script> element, there are better ways to go around this while still allowing remote updates perhaps.
• Enabling context isolation, tons of work for both the client mod and the plugins ecosystem. I think it may very well can cause a heavy backlash from some people.
• Removal of CSP bypass, I think themes will be suffering the most here.

At the very least, this issue was filed with good intent on mind, so thank you.

First, I want to apologize for some of the more.. antagonistic responses. Their feelings do not reflect my own.

It's unfortunate that you believe security and client mods to be mutually exclusive.

I agree that they should not be mutually exclusive.

The points you've brought up are things I've considering changing in the past, however this mod started out as a fork of the original BetterDiscord, it's only no longer marked as a fork by GitHub due to the limitations it was placing on the repo. Because of that, all of those were ingrained in the original design and removing those would cause backwards-incompatible changes for the mod itself as well as plugins and themes.

I feel similar to @Bowser65 that some of it could be changed.

• For node integration, we could use our own API/IPC to get modules or equivalent functions to plugins.
• The CSP could be modified to allow only certain whitelisted sites as Bowser also pointed out. (In our case we would only allow GitHub and Imgur as that's what we limit our plugins and themes to currently.)
• And again as Bowser said, the most significant hurdle would be the context isolation. After bouncing some ideas off of Bowser I had a couple ideas on potential workarounds for the context isolation, however I haven't had a chance to test them out.

That said, as someone who not only maintains BetterDiscord, but also has contributed to (in some form or another) EnhancedDiscord as well as Powercord, I think it's a good idea to put some of the more detailed discussion in one spot for us all. I think the best spot (on GitHub) would be the issue you opened on the Powercord repository as you and Bowser have already had some dialogue there and it's also not as cluttered as this one seems to have become very quickly. Let me know if you can think of a better spot.

As a side note, I have been working on another (potential) mod separate from BD where security would be a bigger part of the mod and these holes would not exist. The injector I've been working on for that one complies with all of the above, save for the context isolation. Hopefully soon I'll be able to test out some of the ideas I mentioned above and provide an update.

You shouldn't limit img-src to Imgur. There are many (oftentimes better) image hosting services.

And you aren't allowed to hotlink imgur anyway outside of forums (according to their ToS anyway, or, what they claim is in it)

It seems the change night mentioned on the Powercord issue

It's also worth noting that these issues have prompted some internal discussion around Electron security. We are now considering force enabling BrowserWindow security options on the Electron level within the next couple months

has finally become reality. See this commit here. Discord is now shipping a modified version of Electron to ensure these features are on and cannot be disabled by BD. Currently, this only affects the Canary release channel, but it may come to others soon.

This requires a major re-architecture of BD (and potentially plugins as well) in order to comply and work with this. I can only say I will do what I can when I can. My free time, and frankly interest, to work on BD has been dwindling in recent days. Especially with work taking up more and more of my time.

Time for BD to start installing its own version of Electron to replace Discord's. 🤔
(discord_arch_electron already does that using a system-wide Electron installation.)

discord/electron@c0575e6

It's also worth noting that these issues have prompted some internal discussion around Electron security. We are now considering force enabling BrowserWindow security options on the Electron level within the next couple months

has finally become reality. See this commit here. Discord is now shipping a modified version of Electron to ensure these features are on and cannot be disabled by BD. Currently, this only affects the Canary release channel, but it may come to others soon.

This requires a major re-architecture of BD (and potentially plugins as well) in order to comply and work with this. I can only say I will do what I can when I can. My free time, and frankly interest, to work on BD has been dwindling in recent days. Especially with work taking up more and more of my time.

I'm assuming that's what just broke the latest discord update from the AUR for me (canary). Was about to open an issue, but I randomly decided to read this first.

I'm just updating this to let people know: my solution has just been to move over to powercord. No offence to BD, but powercord seems MUCH nicer than BD.

stable seems to have implemented this change as well

stable seems to have implemented this change as well

It's being rolled out rather slowly. There is a fix that can be pushed if absolutely needed. You might also have luck with this quick patch if you're on stable.

Link from image: https://cdn.discordapp.com/attachments/410788958277074944/821690118468272168/patch.zip

Affects stable as well now, attempting to install through betterdiscordctl will cause discord to greet you with a message saying "your discord installation has continuously failed to update and is now very out of date".

thx seems to be for windows though unless I am mistaken so linux users are out of luck I'll try and see if I can apply the solution to the Linux version, I think the equivalent folder on Linux is ~.local/betterdiscord or something, but I'm assuming if they put a notice that says windows only it won't be so easy

EDIT: NVM idk why I thought the patch had to be placed into the betterdiscord folder its the discord folder that it has to go into

it's the same for me. I guess I'll just have to wait until the next version of BD releases. Good luck guys

See #598 (comment)

Update: A new cross-platform installer (in beta) is now available that runs safely inside of these new security measures.
https://github.com/BetterDiscord/Installer/releases/latest

After a long time, BetterDiscord now complies with almost all of the items listed, however a better solution for the CSP is in the works. So this issue will stay open to track that.

Not directly related to electron, but as an additional security measure all plugins from our new website are manually reviewed every update. This further decreases the likeliness of malicious code being distributed through official sources, however security still is an issue when it comes to running untrusted plugins.