Cybersecurity researcher Mohan Pedhapati рассказал, using the Anthropic Claude Opus 4.6 AI model to write a complete exploit chain to hack the V8 JavaScript engine in Google Chrome 138, which runs the current Discord client.
The process of writing the exploit chain took a week, the researcher reported, spending 2,3 billion tokens and $2283 for access to the AI model via API. He also contributed his own efforts, spending a total of 20 hours solving deadlocks. The cost of creating the hacking scheme appears significant for a solo developer, Mohan Pedhapati admitted; on the other hand, a similar project would have taken several weeks to complete without assistance. The project also proved profitable economically—the reward from Google and Discord for reporting such an exploit can reach around $15,000. And that's only for the legitimate market—cybercriminals could pay a much higher price for a zero-day vulnerability.
Many services release their apps on the Electron framework, which is in turn based on Chrome—this is the case not only for Discord but also for Slack, for example. However, the framework's current code is one version behind the browser's, and app developers don't always promptly update dependencies, nor do users always install the latest app versions. The author chose the Discord client because it runs on Chrome 138, meaning it's nine major versions behind the current browser version.
Any novice programmer, Mohan Pedhapati points out, with sufficient patience and an API key to access an AI model, can hack unpatched software—"it's a matter of time, not probability." Moreover, "every patch is essentially a hint for an exploit," because open-source projects are developed transparently, meaning fixes are often publicly available in the code even before a complete update is released. To protect applications from such attacks, the expert recommends more careful monitoring of dependencies and promptly implementing changes, as well as releasing security patches automatically to prevent user software from remaining vulnerable if an update is simply forgotten. Finally, open-source projects should exercise caution when publishing detailed vulnerability data.
Source:
Source: 3dnews.ru
