A security vulnerability in Slack, the popular cloud-based communication service used in workplaces around the world, was recently uncovered that could allow hackers to gain "complete access" to user accounts by pillaging security tokens.
The bug was found by Frans Rosén, an expert at the Swedish security firm Detectify, who submitted a report to bug bounty platform HackerOne on 26 February. He has applauded Slack's quick response to the issue after it released a fix in mere hours.
In a technical analysis, he said his interest piqued
after he spotted a flaw in Slack's Chrome browser version that could be used to tamper with its call functionality. Later, after further research, he crafted a malicious webpage to demonstrate how he could steal sensitive data.
When a user was directed to the compromised webpage and clicked on the link, it would open a Slack call before initiating a reconnect that pointed directly at Rosén's command-and-control server in order to pilfer a user's security token.
Web tokens are typically used in security to prove an online identity and often store cryptographic information. Rosén was able to access Slack's tokens which – in his own words – could allow for "full and complete access" to user accounts, if exploited.
He said: "While the page wouldn't readily reveal user credentials, recovering the token is equally alarming as it could be easily exploited to obtain access to user accounts.
"I was able to control messages being parsed by the main application. I was also able to control messages being sent to the call-window, and one of the events in this window, had another chunk of functions exposed to cross-domain control."
It's a somewhat technical flaw, and as security commentator Graham Cluley points out, is only likely to be used in an extremely targeted fashion.
Luckily, in its response via HackerOne, Slack's technical team said the bug had not been exploited by hackers.
"We resolved [the] redirect issues, and performed a thorough investigation to confirm that this had never been exploited," wrote Max Feldman, a senior product security engineer at Slack, who later paid Rosén $3,000 (£2,400) (€2,850) for his troubles.
The Detectify researcher said: "I sent the report to Slack on a Friday evening. They responded 33 minutes after my initial report and had a fix out five hours after that. Amazing."
It's not the first time Rosén's security firm has released research on Slack. In April last year, it uncovered over 1,500 tokens online belonging to a slew of huge companies, including internet service providers, healthcare providers, ad agencies and national newspapers.