News

Bug in Slack allowed attackers to take over user accounts

By admin
Spread the love

Slack, a popular medium for sharing information within organizations and businesses, suffered from a bug that could allow user accounts to be taken over. Malicious persons could thus gain access to all channels that the account was a member of.

Frans Rosén, a security researcher at the company Detectify, discovered the bug last month and notified Slack. The vulnerability has since been fixed and its properties have been made public. The report shows that malicious parties could use this to take over someone else’s account and thus gain access to all content for which that person is authorized.

The vulnerability was in the way Slack’s various systems communicate with each other, specifically in the implementation of PostMessage, according to the bug’s discoverer. Rosén made an exploit by setting up a web page to extract authentication tokens from Slack users. These xoxs tokens then allowed attackers to pretend they owned that account. Because Slack is widely used for sharing information within organizations and companies, it could have potentially stolen company secrets.

A Slack spokesperson told Wired it had fixed the bug within five hours of receiving Rosén’s report. The logs did not show that the vulnerability was abused.

You might also like
News

Rumor: Apple is working on its own applications based on a large language model

News

EU Council determines position on security requirements for digital products

News

Meta introduces open source language model Llama 2, works on PCs and phones

News

Rumor: EU starts investigation into Microsoft for including Teams with Office

News

Xbox Community CEO Larry ‘Major Nelson’ Hryb is leaving Microsoft after…

News

Valve releases major Team Fortress 2 update with community maps and new taunts