Frans Rosén, a security researcher at Detectify, has been awarded $3,000 from Slack after uncovering a serious vulnerability that could have helped hackers to seize control of users’ accounts.
As Threatpost reports, Rosén discovered flaws in Slack’s code that ultimately lead to a method of stealing a user’s private token, and gaining unauthorised access to accounts:
The researcher eventually came up with an exploit that allowed him to steal Slack tokens. To get this done, he built a malicious page specifically designed to pick up and store your token. When clicked, the malicious page proceeds to open a Slack call, which in turn initiates a WebSocket reconnect pointed at his rogue server.
Of course, this methodology really requires a Slack user to be specifically targeted, and for that targeted user to click on a link or deliberately visit a boobytrapped webpage, containing the code that begins the attack.
Nonetheless, this isn’t the type of vulnerability that any security-conscious software firm wants lying around waiting to be abused, and Rosén praised Slack’s response for… err… not being slack in its response.
I sent the report to Slack on a Friday evening. They responded 33 minutes after my initial report and had a fix out 5 hours after that. Amazing.
I agree. It’s a great response that should set an example for other technology companies. And, remember, this was on a Friday afternoon.