Skip to content

RPC server from inactive user session can intercept requests from RPC clients on active user session. #7240

Open
@TheKing-OfTime

Description

@TheKing-OfTime

Description

If 2 users(let's call them User A and User B) logged in to a PC and both has discord running then discord launched last (for example it would be User B) fail to open IPC and WS servers for RPC (address is already in use). Moreover all apps launched on User B session will connect to User A discord client and will be able change Presence, request OAuth. And most dangerous intercept RPC requests from web invite resolver. So if user B click on an invite link in a browser popup with invite will appear in user A client.

Steps to Reproduce

  • Create 2 user sessions on your PC
  • Login to first and launch discord client
  • Lock first session.
  • Login to second and launch discord client
  • Open browser and go to an invite link (for example https://discord.gg/valorant)
  • You will see modal:
    image

Expected Behavior

Client pops up with invite modal in active session (user B):
image

Current Behavior

Client pops up with invite modal in inactive session (user A).

Easiest solution for this issue what i found is just stop RPC server on electron.powerMonitor.on('lock-screen')
and start it again on electron.powerMonitor.on('unlock-screen')

Screenshots/Videos

image

Client and System Information

canary 339515 (06d275e) Host 1.0.470 x64 (54363) Build Override: N/A Windows 11 64-bit (10.0.22631)

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions