Slack pays stingy $1,750 reward for a desktop hijack vulnerability


A researcher responsibly disclosed multiple vulnerabilities to Slack that allowed an attacker to hijack a user’s computer, and they were only rewarded a measly $1,750.

Using these vulnerabilities, an attacker could simply upload a file and share with another Slack user or channel to trigger the exploit on a victim’s Slack app.

In his detailed writeup shared privately with Slack in January 2020, security engineer Oskars Vegeris of Evolution Gaming shared extensive details on the vulnerability.

“With any in-app redirect – logic/open redirect, HTML or javascript injection it’s possible to execute arbitrary code within Slack desktop apps. This report demonstrates a specifically crafted exploit consisting of an HTML injection, security control bypass and a RCE Javascript payload. This exploit was tested as working on the latest Slack for desktop (4.2, 4.3.2) versions (Mac/Windows/Linux),” said Vegeris.

A 5-second video demo Vegeris provided with the HackerOne writeup showed how he used a JSON file to trigger launching a native calculator application via Slack desktop app:

[embedded content]

Multiple critical vulnerabilities

The HackerOne report made public by the company this week shows the engineer listing multiple ways in which Slack apps can be exploited.

The end result of the exploit would be arbitrary code execution on the client’s side i.e. user’s computer, not Slack’s backend.

An attacker could achieve HTML injection, arbitrary code execution, and also Cross-Site Scripting (XSS) due to inherent weakness in the code.

Just one HTML/JavaScript Proof-of-Concept (PoC) exploit posted by Vegeris shows how easy it is to launch the native calculator app, or anything else they’d like, by uploading the payload to Slack.

URL to this HTML file when injected in the area tag of a Slack JSON post representation would enable a “one-click-RCE” on the user’s machine.

“The URL link within the area tag would contain this HTML / JS exploit for Slack Desktop apps which executes any attacker provided command,” stated the engineer.

Slack remote code execution PoC
Slack remote code execution Proof-of-Concept (PoC) exploit
Source: HackerOne

In yet another comment, Vegeris said, “Previously reported keylogging might also be applicable,” referring to a 2019 bug report filed by Matt Langlois.

That’s a bounty?

The fact that Vegeris walked away with a mere $1,750 bug bounty after putting in a lot of time towards the responsible disclosure did not sit well with the infosec. community.

The general consensus on Twitter is, a $20 billion company Slack building messaging app used by major corporations, would’ve faced severe consequences had an exploit of this kind be sold on illicit dark web markets (which would’ve earned the engineer well more than $1,750).

Twitter criticizes Slack for low bounty
Twitter mocking Slack for paying a $1,750 bounty to the engineer who had responsibly reported critical flaws
Source: Twitter

Mashable reported further such instances of users lashing out at Slack, such as this one:

Daniel Cuthbert, hacker and co-author of the OWASP ASVS standard said in a Twitter thread, “Slack, used by millions and millions for mission-critical design chats, DevOps, security, mergers, and acquisitions, hell the list is endless. The flaws found by this researcher result in the execution of arbitrary commands on user’s computer. The TL;DR is wow.”

Cuthbert pleaded Slack to “pay properly” for reports like these, as such exploits would sell for much more on black markets.

“For all that effort, they got awarded $1750. Seventeen Hundred and FIFTY bucks. @SlackHQ firstly the flaws are a rather large concern, I mean validation is hard but come on, then pay properly, please. Because this would be worth much more on”

In a promotional blog post released by Slack two months ago which celebrated its “app sandbox” feature, rather than disclosing the vulnerability details that led to its development, the company had also forgotten to credit Vegeris (this is now corrected).

That is when Vegeris requested a public disclosure on HackerOne this week, which invited a sincere apology from Slack. 

“My name is Larkin Ryder and I am currently serving as the interim Chief Security Officer here at Slack. @brandenjordan made me aware of this misstep and I am writing to convey very sincere apologies for any oversight in crediting your work. We very much appreciate the time and effort you’ve invested in making Slack safer,” stated Ryder in the report.

“While the security team didn’t author this blog post and the author has no visibility to your work in H1, we should make the extra steps to ensure all who contributed to improvement efforts in this area are recognized. I will investigate making appropriate updates to our blog post … Again, I am very sorry for any misstep on our part,” Ryder continued, thanking the engineer.

The proprietary business communication platform, Slack brags about having over 10,000,000 daily active users and is a recognizable brand among many workplaces.

While Slack may have patched the vulnerabilities in a little over five weeks of the report, cases like these underscore the potential damage that can arise from messaging apps as they keep growing their feature list (e.g. file uploads) and customer numbers, should there be a security weakness.

Source: BleepingComputer

Leave a Reply