Slack bug let hackers access your private messages

Hackers may have been reading your Slack messages without you even knowing it.

A security researcher recently discovered a notable bug in the popular chat app Slack: After creating a malicious website, he could take total control of a user’s account and communications lines.

The issue stems from a bug in the browser version of the popular messaging app. After noodling around in the app (as security researchers do), Detectify Labs’ Frans Rosén noticed that he was able to hang up other people’s Slack calls. He then found a related loophole that let him intercept messages sent in the main app.

To exploit this, Rosén created a malicious web page that would reconnect a user’s Slack WebSocket to his own WebSocket, and then steal their private Slack token. (Specifically, once opened, the malicious web page would start a Slack call that redirected to his private server. This gave him access to the user’s unique token.) While this did not give him a user’s credentials, Rosén could then hijack a user’s Slack communications, ending phone calls at will or intercepting chat messages.

While it’s unclear how long this vulnerability was around, there’s no evidence that it was exploited by hackers in the wild. And, in fact, after being reported, Slack fixed the issue within five hours—so your super secret Slack messages are now safe.

Since the bug is no longer a threat, Rosén detailed exactly how the exploit worked in a blog post here, along with Slack’s remedy. He got a $3,000 bug bounty for reporting the issue, as well.

H/T The Next Web

 

Christina Bonnington

Christina Bonnington

Christina Bonnington is a tech reporter who specializes in consumer gadgets, apps, and the trends shaping the technology industry. Her work has also appeared in Gizmodo, Wired, Refinery29, Slate, Bicycling, and Outside Magazine. She is based in the San Francisco Bay Area and has a background in electrical engineering.