Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Slack Quickly Patches Account Hijacking Flaw

It only took the developers of the Slack team collaboration tool five hours to patch a critical vulnerability that could have been exploited to steal a user’s private token and gain access to their account.

It only took the developers of the Slack team collaboration tool five hours to patch a critical vulnerability that could have been exploited to steal a user’s private token and gain access to their account.

The security hole was identified by Detectify researcher Frans Rosén, who discovered that an attacker can steal a user’s token by getting them to access a specially crafted webpage.

The attack method targeted the xoxs token, which provides complete access to a user’s Slack account. A malicious hacker could have obtained this token by creating a page that reconnected the victim’s Slack WebSocket to their own WebSocket.

The vulnerability was reported by Rosén on February 17 and it was patched by Slack developers within five hours. The researcher, who currently has the second highest number of reputation points in Slack’s HackerOne bug bounty program, has been awarded $3,000 for his work.

Slack said it performed a thorough investigation to ensure that the vulnerability was never exploited for malicious purposes. Rosén has made available detailed technical information and a video demonstrating the attack.

Last year, Detectify warned that many developers had unknowingly leaked their Slack tokens on GitHub, exposing business-critical and other sensitive information. Experts identified more than 1,500 tokens at the time.

Slack has so far paid out more than $200,000 through its bug bounty program, including $9,000 to researcher David Vieira-Kurz for a couple of serious vulnerabilities that could have been leveraged to obtain sensitive information and take over user accounts.

Related: “Truffle Hog” Tool Detects Secret Key Leaks on GitHub

Related: Many Mobile Apps Unnecessarily Leak Hardcoded Keys

Related: Samsung Pay Token Flaw Allows Fraudulent Transactions

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...