Slack Addresses Potential Account Takeover Bug

  • There was a big threat to shared private data, channels, and conversation leak from the Slack platform.
  • Slack addressed a critical flaw within 24 hours from its disclosure.

A bug bounty hunter discovered a critical vulnerability in Slack, the popular team communication platform, that could have allowed cybercriminals to launch automated account takeover attacks.

What happened?
  • A web security researcher named Evan Custodio reported the bug to the Slack team via Slack's HackerOne bug bounty program.
  • Slack addressed the critical account takeover flaw within 24 hours upon disclosure.
  • It also rewarded the security researcher with a $6,500 bounty.

Who all could it affect?
Slack is one of the most famous messaging platforms across the world, used by organizations of various sizes.

  • Attackers could have carried out a massive data breach affecting a majority of customer data.
  • The bug could have posed was a big threat to shared private data, channels, and conversation leaks from the Slack platform.
  • Creating automated bots that are able to access a victim’s Slack session and steal sensitive data could be a petty deal.

As per the researcher, “With this attack it would be trivial for a bad actor to create bots that consistently issue this attack, jump onto the victim session and steal all possible data within reach.”

How does it work?
The researcher demonstrated the session takeover against arbitrary Slack customers. In his detailed write-up, the researcher said that the bug chain allowed him to steal session cookies in multiple steps.

  • The researcher revealed that he initially "exploited an HTTP Request Smuggling bug on a Slack asset to perform a CLTE-based hijack onto neighboring customer requests."
  • “This hijack forced the victim into an open-redirect that forwarded the victim onto the researcher’s collaborator client with slack domain cookies.”
  • “The posted cookies in the customer request on the collaborator client contained the customer’s secret session cookie.”

Closing comment
Meanwhile, another researcher also reported an issue that could allow an attacker running a malicious site to steal XOXS tokens and gain full control over victims’ accounts. Slack rewarded the researcher with a $3,000 bounty.