Security Week 36: Slack Critical Vulnerability

Last week, details of several critical vulnerabilities in the Slack messenger. Researcher Oskars Vegeris found a method for almost complete hacking of a corporate account – with data leakage, execution of arbitrary code on the victim’s computer, the ability to send an infected message to other users, and host a malicious script on Slack servers.

The attack on a desktop application using the Electron framework is carried out in two stages: the researcher first found a way to use two HTML tags – area and map, and then with their help loaded a script that executes arbitrary code on the victim’s machine. The scenario looks simple: an attacker shares a file, clicking on it executes malicious code. An alternative option is to steal a user’s session with understandable consequences: full access to corporate chat data. The bug was reported to the developers via the HackerOne platform in January. In March, the most serious part of the problem – the launch of the code – was eliminated, but the vendor was dragging out time for another six months, not allowing the publication of the vulnerability data for no particular reason.

Two months ago on the Slack blog appeared post about the need to isolate any external content: this innovation was caused, among other things, by a discovered vulnerability.

In general, everything ended well. However, the reward is noteworthy: $ 1,750 for a major security breach. Moreover, it is easily exploited – it is enough to have access to the attacked chat. Since the researcher did not publish the article himself, but asked to make a public ticket on HackerOne, you can look at the full correspondence of an independent specialist with the vendor. The claim for such a low amount of remuneration came not from the researcher himself, but from the outraged public. Yes, indeed, selling such a hole to a legitimate vulnerability broker could be more expensive. It’s even more profitable on the black market. On the other hand, Slack, unlike larger companies, does not promise a lot of money: they have a ceiling of $ 1,500 right on the bug bounty page. So it’s not just about money: even now, with most vendors running bug reward programs, there is still a choice of “which side to be on”.

What else happened:

There was a lot of discussion last week try bribe a Tesla employee to implant malicious code into the internal network. But there was another story related to the electric car manufacturer, about the ability to remotely control any Tesla car due to a bug in the server infrastructure. The error is old, from 2017, but with fresh details and even technical report.

Electronic Frontier Fund Specialists criticize spying on students during important exams, common in times of self-isolation. This article describes the functions of software serving similar purposes, which is not much different from spyware.

Vulnerability in the Safari browser allows steal user files. In this case, there is also a controversial point in the bug bounty program: Apple experts admitted the presence of a bug, but promised to close it in the spring of 2021, almost a year after notification. Another critical vulnerability shut down already in the Chrome browser.

Facebook company warns advertising partners that the innovations in iOS 14 will seriously complicate the profiling of users to serve relevant ads. We are talking about prohibiting the use of a single advertising device identifier, if the owner of the device so wishes.

Similar Posts

Leave a Reply