Trail of Bits
Audit Open Original ↗

Discord DAVE

Type

Security review

Client

Discord

Date

2024-09

Domain

Crypto

Effort

5 wks

Section

Cryptography Reviews

Trail of Bits's security review of Discord (Sep 2024) identified 15 issues: 1 high, 4 medium, 6 low, 3 informational, and 1 undetermined.

Findings · 15

  1. 1 Undefined behavior in frame processor Medium
  2. 2 Insucient validation of unencrypted ranges Medium
  3. 3 Insucient Windows key data size validation Low
  4. 4 Call participants can send dierent media frames to lagging participants Low
  5. 5 Encrypted frames can be delivered multiple times or out-of-order Informational
  6. 6 Unencrypted range osets and sizes are not authenticated Medium
  7. 7 Insucient size validation in SerializeUnencryptedRanges Informational
  8. 8 Integer overflow during encrypted frame validation Low
  9. 9 Out-of-bounds read in FindNextH26XNaluIndex Low
  10. 10 Insucient validation of proposal type Low
  11. 11 Application UI does not distinguish causes of verification failure Informational
  12. 12 Public key uploads are not bound to a specific account Low
  13. 13 Sensitive data is not cleared from memory Medium
  14. 14 Session not closed on bad MLS binary input Undetermined
  15. 15 Static key ratchet used in production code High

Findings extracted from the published report PDF. See the full report below for details and remediation.

Related