#BugAlert: Critical desktop hijack vulnerability detected in Slack; now fixed

By Shubham Sharma

Aug 31, 2020

07:49 pm

What's the story

Slack, one of the biggest players in the remote collaboration space, has fixed a major flaw in its service. The issue affected its desktop app and could have left many companies and their employees compromised - if it were not for the security researcher who discovered the bug in the first place, and Slack's subsequent (but stingy) action. Here are more details.

Bug

Bug allowing remote code execution

The vulnerability in question opened a way for a threat actor to carry remote code execution-based attacks against Slack users. All they had to do was upload and send a malicious file, with an enticing image, to an unsuspecting Slack user and trick them into opening it. Once the user would open the file, the code got executed, leading to the hack.

Impact

Hack could have effectively caused major issues

According to Oskars Vegeris, the researcher who found the flaw, an exploit of this issue could have given the hackers "access to private files, private keys, passwords, secrets, internal network access" as well as "private conversations, files, etc. within Slack." Plus, the attack could have also been made wormable, which would have automatically circulated the malicious file to all other Slack team members.

Quote

Here's what Vegeris said about the issue

"With any in-app redirect - logic/open redirect, HTML, or Javascript injection, it's possible to execute arbitrary code within Slack desktop apps. This report demonstrates a specifically crafted exploit consisting of an HTML injection, security control bypass, and an RCE Javascript payload."

Report

Slack informed in January, patch deployed in February

Notably, Vegeris reported the RCE vulnerability on January 27 through HackerOne, and Slack issued a patch plugging it by February 20. The work collaboration company also awarded Vegeris, who works at Evolution Gaming, with a bug bounty of $1,750 (Rs. 1.3 lakh). But, the security community is not happy with the reward, considering the severity of the issue he helped address.

Credit

His work was also not credited

Making the case even worse, Slack also published a blog post about the bug without crediting Vegeris for the work he did to flag the flaw. Later, the company's interim CSO did apologize for the misstep and promised to make necessary changes to the post, but that didn't help Slack's case and the researcher community heavily criticized Slack for undervaluing their work.

Twitter Post

Here's what one researcher said on Slack's "stingy response"

Should the government demand companies pay more in bug bounties?

Slack, a $20,000,000,000 company paid $1750 for an RCE as part of their bug bounty program.

If the researcher sold it to a private company he would have made tens of thousands of dollars.

— Alon Gal (Under the Breach) (@UnderTheBreach) August 29, 2020

Quote

We will continue to review payout scale: Slack

"Our bug bounty program is critical to keeping Slack safe," the company told Mashable. "We deeply value the contributions of the security and developer communities, and we will continue to review our payout scale to ensure that we are recognizing their work."