Slack is a pretty cool app. Enterprises love it and if you have had occasion to use it, its mostly easy to see why. Sure, it does have its weaknesses, but all in all, it provides a much better way to channel communication between members of an organization than say WhatsApp. Recently though, a serious vulnerability was discovered that if allowed to go unchecked, could have allowed hackers to read archived messages by compromising a Slack user’s authentication token.
The credit for discovering this vulnerability was discovered by Detectify’s Frans Rosen. Mr. Rosen created a proof of concept after he discovered that the pop-up windows could be used to grab the user’s authentication token. A call initiated by Slack is done via a pop-up window. However, the window wasn’t first verifying the messages between the chat app and the pop-up window.
So technically, a malicious webpage could easily take up the role of a Slack server and send a fake call to the pop-up window. When this happened, the malicious webpage could grab the authentication token. The authentication token, in case you are unaware of it, is basically the password for a session. Accessing the authentication token could have basically allowed Rosen to grab all the account data including the message archives — not something you would like to happen to you organization’s Slack group.
Apparently, at the core of the problem is a function called PostMessage. As per Rosen:
[PostMessage] requires you to be careful. If you’re not, and if you’re not checking where the messages came from, messages could actually be sent from another web page.
The company’s failure lay in the fact that it was unable to validate the evt.origin
or evt.source
files that were being sent along with the message. Since Slack did not do this, Rosen was able to access the function using postMessage.
Fortunately though, Rosen was not a hacker and did not have any wrong intentions. He reported the error to Slack a Friday evening. Slack responded quickly and fixed the issue merely 5 hours after the complaint was first submitted. And Rosen of course, received a prize for his hard work.
Thank you Slack for a quick fix, and the bounty of $3,000.
You can read more about the vulnerability and get into the technical details by going right here. Meanwhile, Slack has looked over logs for the past two years and claims that the issue has not been exploited as of yet. And thanks to Rosen, it won’t be either.