Bug Bounty Reward Discovered a Vulnerability in the Slack Desktop Applications

Onapsis

A security researcher has been awarded a $1,750 bug bounty reward for finding a flaw in Slack software applications with remote code execution.

An intruder may exploit the vulnerability inside Slack’s macOS , Linux, and Windows desktop apps to execute arbitrary code.

The problem was discovered by Evolution Gaming ‘s security engineer Oskars Vegeris who documented it via the company’s bug bounty programme on HackerOne in January 2020.

“With any redirect in-app-logic / open redirect, Markup, or JavaScript injection-arbitrary code can be executed within Slack desktop applications. This study reveals a specially designed exploit consisting of an HTML injection, security control bypass and RCE JavaScript payload, “explained the researcher.

Vegeris states that an attacker attempting to exploit the vulnerability will need to upload a file containing the RCE payload to their server, then create a Slack post containing HTML injection code and post it to a channel or send it to a particular user to achieve remote code execution by one click.

If the payload is enabled, the attacker can gain access to Slack’s private messages and data, as well as to system private information, private keys, passwords, codes, internal network access, and more.

The payload could also be coded to be wormable, meaning it would automatically be re-posted to all user workspaces after clicking.

In addition to this weakness, the researcher found a Cross-Site Scripting (XSS) flaw in files.slack.com that could result in the display of arbitrary HTML content on * .slack.com and phishing attacks via fake HTML login pages, but could also be misused to store the RCE exploit.

Just last week, after the researcher discovered that Slack had solved the bug (through the implementation of a sandbox) without crediting his work, details of the security bug became public and posted about it on HackerOne. Slack’s rectified it ever since.

“My name is Larkin Ryder and I currently work here at Slack as the Interim Chief Security Officer. @brandenjordan made this mistake known to me and I am writing to express my sincere apologies for any interference in crediting your job. We deeply appreciate the time and effort that you have put into making Slack safer, “Slack’s CSO said on HackerOne.

Following last week’s public disclosure, the infosec group has begun to ridicule Slack on Twitter for giving the researcher such a small bug bounty reward for his discovery. However, the company usually provides $1,500 for crucial found flaws in its products.

Melina Richardson
Melina Richardson is a Cyber Security Enthusiast, Security Blogger, Technical Editor, Certified Ethical Hacker, Author at Cybers Guards. Previously, he worked as a security news reporter.