14 DAY TRIAL // One bug found in popular work chat client Slack enabled attackers to hijack people's accounts and take control over all their communications. Thankfully, the problem has been patched, so you might be interested in updating your apps.
The flaw was discovered by Frans Rosén, a security researcher from cybersecurity firm Detectify. According to his blog post on the matter, people's Slack tokens could be stolen by tricking people into opening malicious pages.
Rosén explains that he noticed the problem when he encountered a glitch in Slack's browser version which allowed him to hang up on other people's calls. Another flaw in the call allowed the researcher to intercept messages being sent to the mail app.
"Now, just submitting that they were missing an origin-validation is not fun at all and would likely not show them the true severity of the issue. I had to come up with a better exploit scenario by looking through the code," Rosén writes.
So, an exploit was built to steal Slack tokens by building a malicious page designed to pick them up and store them. In short, when someone opened the malicious page, a Slack call was opened, initiating a WebSocket reconnect to his rogue server.
Grabbing these tokens could be used to obtain access to people's accounts, so it's just as worrying.
Bountiful bug
Slack paid a bug bounty of $3,000 for this vulnerability and patched the issue in just a few hours.
"I sent the report to Slack on a Friday evening. They responded 33 minutes after my initial report and had a fix out 5 hours after that. Amazing," the researcher praises.
It's nice to see such speedy responses to reported vulnerabilities, especially since loads of attackers could find their ways inside the apps and wreak havoc. Luckily for Slack, this time, it was a security researcher looking for bugs, and not a cyber criminal.