Slack has recently fixed a critical remote code execution vulnerability affecting its desktop apps. This RCE flaw posed a serious security threat to all Slack users.
Slack Critical RCE Flaw
Reportedly, the Slack desktop app had a critical RCE flaw risking its users. The vulnerability first caught the attention of a researcher Oskars Vegeris. He then reported the vulnerability to Slack via HackerOne.
In his bug report, he has explained the exploit in detail along with a video demonstration. Describing the bug, he stated,
Exploiting the flaw could allow an adversary to access private conversations and files within Slack, password, private keys, and other data. Also, an attacker could make the bug wormable for more damage to the victim.
Alongside this RCE bug, he also found an XSS vulnerability affecting the platform. Exploiting this flaw could allow phishing attacks as well as storing the reported RCE exploit.
Bug Bounty Awarded To The Researcher
The researcher first reported the vulnerability to Slack in January 2020. While the vendors initially patched the bug in February 2020, it took them all the while for a disclosure.
Though, it seems Slack also inadvertently disclosed the bug from their end in a separate post. However, the firm’s Chief Security Officer, Larkin Ryder, did apologize for this oversight.
Although, Slack promptly awarded the researcher with a $1,750 bounty for reporting the bugs. However, the researchers’ community didn’t appreciate this payout given the criticality of the exploit.
When asked about such payouts, a Slack spokesperson provided the following statement to Mashable.
Our bug bounty program is critical to keeping Slack safe. We deeply value the contributions of the security and developer communities, and we will continue to review our payout scale to ensure that we are recognizing their work and creating value for our customers.
In March 2020, Slack also fixed numerous major bugs that could allow automated account takeovers.
Let us know your thoughts in the comments.