Slack developers fixed a vulnerability that allowed to capture other people’s accounts. The problem was discovered in November 2019 by information security researcher Ivan Castodio (Evan Custodio).
Castodio discovered the vulnerability using HTTP Request Smuggling attacks and proprietary tools. In essence, the bug allowed to steal session cookies through HTTP Request Smuggling and establish control over other people’s accounts.
The researcher writes that the vulnerability was “extremely critical” for both Slack and all clients and organizations using the platform. The fact is that exploiting the bug could lead to “serious compromise of the majority of customer data,” and attackers could create automated bots that would carry out continuous attacks, intercept victims’ sessions and steal everything they could get to. The scheme of such an attack can be seen below.
Slack developers quickly fixed this vulnerability, and the researcher was paid $ 6,500 under the bug bounty program.
In addition, another dangerous bug found by Detectify specialists was fixed in Slack. The vulnerability allowed attackers to steal user authentication tokens, which then could provide complete control over messages and the victim’s account. According to experts who found the problem, hackers, in fact, could create malicious sites to steal XOXS tokens. Disclosure of this error brought Detectify specialists $ 3,000 for the reward program for vulnerabilities.