- Kylie Jenner trademarks ‘rise and shine’ after meme success 3 Years Ago
- ‘Watchmen’ website expands what you know about its alt-history 3 Years Ago
- Smoke ’em, pass ’em Week 8: Mark Walton szn 3 Years Ago
- Venmo’s first-ever credit card to launch in 2020 Today 3:46 PM
- Wet Kylo Ren may turn everyone to the dark side Today 3:15 PM
- Man allegedly targeted trans women on dating app, robbed them at knifepoint Today 3:02 PM
- Researchers expose how Amazon Echo and Google Home can steal passwords Today 2:47 PM
- Facebook removing Instagram Story filters that mimic plastic surgery Today 2:16 PM
- Mom solves ‘ghost baby’ image mystery after viral post Today 1:23 PM
- Elon Musk tweeted ‘through space’ Today 1:16 PM
- Don’t want a Fitbit? These step tracker apps got you covered Today 12:51 PM
- Protesters sing ‘Baby Shark’ to soothe frightened toddler Today 12:47 PM
- Who is Babu Frik, the adorable, teeny mechanic from ‘Rise of Skywalker’? Today 12:36 PM
- Senators push for social media data portability Today 12:11 PM
- ‘Stage Fright’ is a therapeutic lens into Jenny Slate’s weird world Today 11:34 AM
Hackers may have been reading your Slack messages without you even knowing it.
A security researcher recently discovered a notable bug in the popular chat app Slack: After creating a malicious website, he could take total control of a user’s account and communications lines.
The issue stems from a bug in the browser version of the popular messaging app. After noodling around in the app (as security researchers do), Detectify Labs’ Frans Rosén noticed that he was able to hang up other people’s Slack calls. He then found a related loophole that let him intercept messages sent in the main app.
To exploit this, Rosén created a malicious web page that would reconnect a user’s Slack WebSocket to his own WebSocket, and then steal their private Slack token. (Specifically, once opened, the malicious web page would start a Slack call that redirected to his private server. This gave him access to the user’s unique token.) While this did not give him a user’s credentials, Rosén could then hijack a user’s Slack communications, ending phone calls at will or intercepting chat messages.
While it’s unclear how long this vulnerability was around, there’s no evidence that it was exploited by hackers in the wild. And, in fact, after being reported, Slack fixed the issue within five hours—so your super secret Slack messages are now safe.
Since the bug is no longer a threat, Rosén detailed exactly how the exploit worked in a blog post here, along with Slack’s remedy. He got a $3,000 bug bounty for reporting the issue, as well.
H/T The Next Web
Christina Bonnington is a tech reporter who specializes in consumer gadgets, apps, and the trends shaping the technology industry. Her work has also appeared in Gizmodo, Wired, Refinery29, Slate, Bicycling, and Outside Magazine. She is based in the San Francisco Bay Area and has a background in electrical engineering.