Slack, a business communication program, is urging its users to reset and change their passwords after a bug has been found in the update it released last December 2020. The company has since announced that its Android application was found storing users in plaintext, including passwords of individuals.
A report by the Android Police reveals that Slack has emailed its users in an attempt to warn them about the incident. The email was reportedly sent out to affected users. Despite the flaw, the business communication app maintains that there was only a small subset of people affected.
Part of the email reads, “On December 21st, 2020, Slack introduced a bug that caused some versions of our Android app to log clear text user credentials to their device. Slack identified the issue on January 20th, 2021 and fixed it on January 21st, 2021.”
The Android application flaw took a whole month prior to being fixed or being issued a patch. Despite this, Forbes states the company states that they have no evidence saying that third-party users or threat actors gained access to the user-identifiable data.
According to The Verge, the business communication application reached out after the news site initially published the story It said that although the Android app has mined and stored passwords in plaintext, these are still largely secure, especially as the logs found in the program would remain private.
One cause of concern that the company brought up in its interview slash statement with The Verge, however, is that this flaw could cause problems in the event that an individual uses a rooted phone and its protections are not activated.
Apart from this, The Verge reveals that the small subset of users that Slack pertains to are only vulnerable if they have logged onto the app using their email address and password within the said period, from December 21, 2020, to January 21, 2021.
Individuals who have leveraged the single-sign-on (SSO) system or who were already logged in to the app prior to the incident are not affected by the security flaw, states the company.
Following this, the business communication app moves the public, particularly its Android users and those who received its email, to change their passwords simply by clicking on the link provided by the company.
Before this, however, the communications firm also advises individuals to update to the latest Android version available for download on the Play Store. This will allow them to make the patch available to their device.