This article was published on March 1, 2017

Slack bug granted hackers full access to your account and messages [Update]


Slack bug granted hackers full access to your account and messages [Update]

Security researchers have disclosed a concerning vulnerability in popular chat client Slack that allowed attackers to hijack your account and take control of your entire communication line.

The flaw, which was initially spotted and documented by Frans Rosén from cybersecurity firm Detectify, basically allows ill-intended individuals to snatch your Slack token by tricking you into opening a malicious page.

What tipped Rosén off about this loophole was a glitch in the browser version of the app which allowed him to hang up other people’s calls. He then uncovered another flaw in the code which enabled him to intercept the messages being sent to the main application.

The researcher eventually came up with an exploit that allowed him to steal Slack tokens. To get this done, he built a malicious page specifically designed to pick up and store your token. When clicked, the malicious page proceeds to open a Slack call, which in turn initiates a WebSocket reconnect pointed at his rogue server.

While the page wouldn’t readily reveal user credentials, recovering the token is equally alarming as it could be easily exploited to obtain access to user accounts.

Slack has since acknowledged and patched the exploit. According to Rosén, the chat client responded promptly to his report, eliminating the vulnerability in the short window of five hours. He also received bug bounty of $3,000.

Detectify appears to have a penchant for laying bare flaws in the popular app. Back in April last year, the cybersecurity firm found another kink in the communication platform which allowed sly hackers to recover your tokens from Slack applications uploaded to GitHub.

Head to Detectify’s blog here to read the full report – including a more technical account of the attack vector. You can also watch a video of the exploit in action.

Update: Slack has since contacted TNW with the following statement, assuring that the company has confirmed no accounts have been exploited as a result of the vulnerability:

This bug is exactly why we invest in our public bug bounty program. Once it was identified by the security researcher, we were able to fix it within five hours and confirm shortly after that it was not exploited in the wild

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with