Slack Patched A Critical RCE Flaw In Desktop Apps

Slack has recently fixed a critical remote code execution vulnerability affecting its desktop apps. This RCE flaw posed a serious security threat to all Slack users.

Slack Critical RCE Flaw

Reportedly, the Slack desktop app had a critical RCE flaw risking its users. The vulnerability first caught the attention of a researcher Oskars Vegeris. He then reported the vulnerability to Slack via HackerOne.

In his bug report, he has explained the exploit in detail along with a video demonstration. Describing the bug, he stated,

With any in-app redirect – logic/open redirect, HTML or javascript injection it’s possible to execute arbitrary code within Slack desktop apps. This report demonstrates a specifically crafted exploit consisting of an HTML injection, security control bypass and a RCE Javascript payload.

Exploiting the flaw could allow an adversary to access private conversations and files within Slack, password, private keys, and other data. Also, an attacker could make the bug wormable for more damage to the victim.

Alongside this RCE bug, he also found an XSS vulnerability affecting the platform. Exploiting this flaw could allow phishing attacks as well as storing the reported RCE exploit.

Bug Bounty Awarded To The Researcher

The researcher first reported the vulnerability to Slack in January 2020. While the vendors initially patched the bug in February 2020, it took them all the while for a disclosure.

Though, it seems Slack also inadvertently disclosed the bug from their end in a separate post. However, the firm’s Chief Security Officer, Larkin Ryder, did apologize for this oversight.

Although, Slack promptly awarded the researcher with a $1,750 bounty for reporting the bugs. However, the researchers’ community didn’t appreciate this payout given the criticality of the exploit.

When asked about such payouts, a Slack spokesperson provided the following statement to Mashable.

Our bug bounty program is critical to keeping Slack safe. We deeply value the contributions of the security and developer communities, and we will continue to review our payout scale to ensure that we are recognizing their work and creating value for our customers.

In March 2020, Slack also fixed numerous major bugs that could allow automated account takeovers.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients

1 comment

megon September 5, 2020 - 6:40 pm
i thin k slack has already fixed this flaws in desktop apps. the writer mama

Comments are closed.

Add Comment