New Slack Bug Puts User Conversations at Risk, Patch Deployed

Slack Technologies Inc. disclosed a major vulnerability plaguing its desktop app last Friday, August 28, 2020. While a patch has been issued for the software bug, Mashable reports the flaw could have greatly impacted users’ computers.

Although the bug has been discovered by a third-party security researcher last January, the communications tool company only disclosed the information to the public at the end of August. ThreatPost notes that the delay in the disclosure comes from a hiatus on bugs placed on the forum, which was in place for a few months.

Mashable states that the researcher reported the flaw via the HackerOne platform early in the year as part of the bug bounty program of Slack.

Patch Deployed With New Slack Bug

The code, known as “remote code execution,” supposedly exploits users’ private information, including “access to private files, private keys, passwords, secrets, internal network access,” reveals the researcher.

Moreover, the researcher, which ThreatPost states go by the username oskarsv, “The payload can easily be modified to access all to private conversations, files, tokens, etc without executing commands on the user’s computer.”

More than possibly undergoing a remote code-execution (RCE), which ThreatPost says allows attackers to take full control over the app, the critical flaw could also serve as a worm that can affect and infect other users within a team.

Mashable states that the “wormable” attack could be shared via the account holder who initially got infected.

To exploit the vulnerability, an uploaded file to the attacker’s own HTTPS-enabled server with a payload would need to take place, with a Slack post containing the said link pointing to the payload. Should users click on the image containing the attack, the code will manifest on the device, notes ThreatPost.

For the efforts of the security researcher, oskarsv was only given $1,750 as part of the Slack bug bounty program coursed through the HackerOne platform. Mashable states many members of the security community voiced their concerns regarding this issue, saying the fee awarded was only a measly sum compared to the extent and effort of the job.

In response to the issue, a company spokesperson for Slack said,

“Our bug bounty program is critical to keeping Slack safe. We deeply value the contributions of the security and developer communities, and we will continue to review our payout scale to ensure that we are recognizing their work and creating value for our customers.”

The company representative also emphasized that they have since deployed a fix for the issue by February 20, 2020.

To avoid being affected by the flaw within the communications tool software application, Slack users are advised to update their program to, at the very least, version 4.4.