Slack has recently fixed a critical remote code execution vulnerability affecting its desktop apps. This RCE flaw posed a serious security threat to all Slack users.

Slack Critical RCE Flaw

Reportedly, the Slack desktop app had a critical RCE flaw risking its users. The vulnerability first caught the attention of a researcher Oskars Vegeris. He then reported the vulnerability to Slack via HackerOne.

In his bug report, he has explained the exploit in detail along with a video demonstration. Describing the bug, he stated,

With any in-app redirect – logic/open redirect, HTML or javascript injection it’s possible to execute arbitrary code within Slack desktop apps. This report demonstrates a specifically crafted exploit consisting of an HTML injection, security control bypass and a RCE Javascript payload.

Exploiting the flaw could allow an adversary to access private conversations and files within Slack, password, private keys, and other data. Also, an attacker could make the bug wormable for more damage to the victim.

Alongside this RCE bug, he also found an XSS vulnerability affecting the platform. Exploiting this flaw could allow phishing attacks as well as storing the reported RCE exploit.

Bug Bounty Awarded To The Researcher

The researcher first reported the vulnerability to Slack in January 2020. While the vendors initially patched the bug in February 2020, it took them all the while for a disclosure.

Though, it seems Slack also inadvertently disclosed the bug from their end in a separate post. However, the firm’s Chief Security Officer, Larkin Ryder, did apologize for this oversight.

Although, Slack promptly awarded the researcher with a $1,750 bounty for reporting the bugs. However, the researchers’ community didn’t appreciate this payout given the criticality of the exploit.

When asked about such payouts, a Slack spokesperson provided the following statement to Mashable.

Our bug bounty program is critical to keeping Slack safe. We deeply value the contributions of the security and developer communities, and we will continue to review our payout scale to ensure that we are recognizing their work and creating value for our customers.

In March 2020, Slack also fixed numerous major bugs that could allow automated account takeovers.

Let us know your thoughts in the comments.

The following two tabs change content below.

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

Source link