Slack whacks global account hijack holes

For a while there your Slack account could be hijacked with just a username

Hipster collaboration platform Slack has shuttered an access control bypass that allowed users to hijack any account.

The flaws reported by security researcher David Viera-Kurz lay in twin path traversal and access control bypasses.

Slack paid Viera-Kurz US$9000 for privately reporting two flaws under its bug bounty program.

Viera-Kurz (@secalert) found he was able to exploit a path traversal vulnerability to access an administrative panel.

From there he could tap the Slack's "mission control" server and use account ID metadata to reset passwords to Slack Workspaces, provided the ID was known.

"The Slack employees have access to a backend admin panel called mission control [which] authorised people are able to read lots of metadata related to Slack user and Slack workspace by passing an ID to the corresponding controller," Viera-Kurz says.

"... an attacker would be enabled to reset the password of any user by guessing their ID and passing a request to the associated reset controller in the mission control panel.

"This would allow an attacker to take over any account!"

Slack paid Viera-Kurz US$7000 for the latter vulnerability and US$2000 for the initial path traversal flaw that bypassed access controls.

"Sometimes you may identify a flaw that seems to be trivial from technical point of view, but may raise a high business impact or an increased data privacy issue to the affected company," he says. ®


Biting the hand that feeds IT © 1998–2017