Bug in Slack allowed to take malicious user




Slack, a popular medium for information sharing within organizations and enterprises, faced with a bug that user could be taken over. Attackers could gain access to all the channels where the account was a member.

French Rosén, security researcher at the company Detectify, the bug discovered last month and Slack it was informed. Meanwhile, the vulnerability has been repaired and its properties publicly made . The report shows that the malicious this could take over someone else’s account and thus could access all content where that person is authorized.

The vulnerability was communicating in the way different systems of Slack with each other, and particularly in the implementation of PostMessage, according to the discoverer of the bug. Rosén made an exploit by creating a Web page that authentication tokens Slack users were cheated. This xoxs tokens attackers could then act as if they were the owner of that account. Because Slack is widely used for sharing information within organizations and companies had thus possible trade secrets can be stolen.

A spokesman for Slack let know to Wired that it had fixed the bug after receiving the report of Rosén within five hours. The logs did not reveal that there has been an abuse of vulnerability.


In: A Technology & Gadgets Asked By: [20885 Red Star Level]

Answer this Question

You must be Logged In to post an Answer.

Not a member yet? Sign Up Now »