Bug in Slack allowed attackers to take over user accounts

Spread the love

Slack, a popular medium for sharing information within organizations and businesses, suffered from a bug that could allow user accounts to be taken over. Malicious persons could thus gain access to all channels that the account was a member of.

Frans Rosén, a security researcher at the company Detectify, discovered the bug last month and notified Slack. The vulnerability has since been fixed and its properties have been made public. The report shows that malicious parties could use this to take over someone else’s account and thus gain access to all content for which that person is authorized.

The vulnerability was in the way Slack’s various systems communicate with each other, specifically in the implementation of PostMessage, according to the bug’s discoverer. Rosén made an exploit by setting up a web page to extract authentication tokens from Slack users. These xoxs tokens then allowed attackers to pretend they owned that account. Because Slack is widely used for sharing information within organizations and companies, it could have potentially stolen company secrets.

A Slack spokesperson told Wired it had fixed the bug within five hours of receiving Rosén’s report. The logs did not show that the vulnerability was abused.

You might also like
Exit mobile version