Home > Tech

Slack fixes 'critical' vulnerability that left desktop app users open to attack

Thankfully a security researcher disclosed the vulnerability, instead of selling it to the highest bidder.
By Jack Morse  on 
Share on Facebook Share on Twitter Share on Flipboard
Slack fixes 'critical' vulnerability that left desktop app users open to attack
Credit: bob al-greene / mashable

Slack and its scores of desktop app users just dodged a major bullet.

The communications tool relied upon by journalists, tech workers, and D&D fans alike disclosed on Friday a "critical" vulnerability — now fixed — that would have let hackers run wild on users' computers. Slack's internal security team didn't even find the bug; rather, it was a third-party security researched who reported it, through the bug bounty platform HackerOne in January.

Notably, the exploit allowed for something known as "remote code execution," which is just as bad as it sounds. Before Slack fixed it, an attacker using the exploit could have done some pretty wild stuff, such as gaining "access to private files, private keys, passwords, secrets, internal network access etc.," and "access to private conversations, files etc. within Slack."

What's more, according to the disclosure, maliciously inclined hackers could have made their attack "wormable." In other words, if one person in your team got infected, their account would automatically re-share that dangerous payload to all their colleagues.

It's worth emphasizing that the security researcher who discovered this vulnerability — a process that takes untold hours of work and is a literal job — decided to do what many would consider the right thing and report it to Slack via HackerOne. For the security researcher, whose HackerOne handle is oskars, this resulted in a bug bounty payment of $1,750.

Of course, had that person wanted, they could have likely gotten much, much more money by selling it to a third-party exploit broker. Companies like Zerodium, which offer millions of dollars for zero-day exploits, in turn sell those exploits to governments.

Mashable Light Speed
Want more out-of-this world tech, space and science stories?
Sign up for Mashable's weekly Light Speed newsletter.
By signing up you agree to our Terms of Use and Privacy Policy.
Thanks for signing up!

Members of the computer security community were quick to point out the relatively paltry payout for such an important bug.

We reached out to Slack in an effort to determine how it decides the size of its bug bounty payments, and whether or not it had a response to the criticism levied by members of the security community. In response, a company spokesperson replied that the amount Slack pays for bug bounties is not fixed in stone.

"Our bug bounty program is critical to keeping Slack safe," the spokesperson wrote in part. "We deeply value the contributions of the security and developer communities, and we will continue to review our payout scale to ensure that we are recognizing their work and creating value for our customers."

The spokesperson also noted that the company "implemented an initial fix by February 20."

SEE ALSO: 7 Slack privacy settings you should enable now

Interestingly, Slack does appear to have upped the amount it's willing to pay bug bounty researchers for coordinated disclosure. A look at its HackerOne profile page shows that, as of the time of this writing, reporting a remote code execution vulnerability would merit "$5000 and up."

Too late for oskars, but perhaps that will encourage the next security researcher who discovers a critical vulnerability in Slack to report it to the good guys. We should hope so, for the sake of Slack users everywhere.

UPDATE: Aug. 29, 2020, 1:49 p.m. PDT: This story has been updated to include Slack's statement.

WATCH: It's surprisingly easy to be more secure online

Topics Cybersecurity

Mashable Image
Jack Morse

Professionally paranoid. Covering privacy, security, and all things cryptocurrency and blockchain from San Francisco.

Recommended For You
Grab the Dyson Airwrap Long Complete for $140 off if you're a Best Buy Plus or Total member
By Lauren Allain
a person stands against a white background while using the dyson airwrap complete long hair styling tool with a brush attachment
Home Depot's upgraded 12-foot skeleton and its new pet dog will debut this Thursday
By Haley Henschel
decorations from home depot's 2024 halloween collection
Celebrate World Book Day by saving up to 80% on Kindle books at Amazon
By Lauren Allain
a person sits outside, under a tree while reading on a kindle device
The wildest lyrics on Taylor Swift's 'The Tortured Poets Department,' from 'Grand Theft Auto' to Charlie Puth
By Elena Cavender
Taylor Swift performing at The Eras Tour in a black and red jumpsuit giving major side eye.
TikTok for Business: Everything you need to know
By Mashable Contributor
TikTok for Business
Trending on Mashable
NYT Connections today: See hints and answers for April 24
By Mashable Team
A phone displaying the New York Times game 'Connections.'
Wordle today: Here's the answer and hints for April 24
By Mashable Team
a phone displaying Wordle
Wordle today: Here's the answer and hints for April 25
By Mashable Team
a phone displaying Wordle
NYT Connections today: See hints and answers for April 25
By Mashable Team
A phone displaying the New York Times game 'Connections.'
NASA shows how Mars helicopter did the impossible, and then crashed
By Mark Kaufman
The Ingenuity helicopter snapped an image of its shadow while flying on Mars.
The biggest stories of the day delivered to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up. See you at your inbox!