U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

A flaw in Slack app allowed hackers to take over a user account

A bug in the popular Slack application could be exploited by attackers to steal an access token and take over a user account. A serious flaw in the popular work chat application Slack could be exploited to take over a user account. The vulnerability was discovered by bug bounty hunter Frans Rosen who demonstrated that is possible […]

A flaw in Slack app allowed hackers to take over a user account

A bug in the popular Slack application could be exploited by attackers to steal an access token and take over a user account.

A serious flaw in the popular work chat application Slack could be exploited to take over a user account.

The vulnerability was discovered by bug bounty hunter Frans Rosen who demonstrated that is possible to steal Slack access tokens to impersonate a user. The flaw resides in the way the Slack application communicates data in an internet browser.

“I was able to create a malicious page that would reconnect your Slack WebSocket to my own WebSocket to steal your private Slack token. Slack fixed the bug in 5 hours (on a Friday) and paid me $3,000 for it.” reads a blog post published by Rosen. 

Slack leverages on the technology called postMessage that safely enables cross-origin communication.

Normally, scripts running on different web pages can access each other only if the pages are accessible through the same protocol (i.e. Both https), port number (443 is the default for https), and host (module Document.domain being set by both pages to the same value).

“Using window.addEventListener(‘message’, func) and window.postMessage() to pass messages is a really convenient way of performing Cross-Origin communication. However, the biggest pitfall (which we’ve covered multiple times before) is not checking the origin of the message.” explained Rosen.
Slack uses postMessage everytime it opens a new window to enable a voice call.
The Slack implementation of the postMessage lack of validation for the origin of all data exchanged between separate windows.

“Not validating them was a clear indication to me that I could start do fun stuff, like accessing the functions using postMessage to this window from another window I controlled.” added Rosen.

Once discovered the flawed implementation, the researcher demonstrated how to exploit the bug to steal a user’s access token.

Basically, he exploited the fact that if a user has a browser window, and open a new window by clicking on a link, those two windows can communicate each other through postMessage.

At this point, Rosen created a malicious page that is able to hijack the Slack application.

Below a video PoC of the hack in which the malicious webpage opens a Slack window that then forces a victim’s account to handover the access token:

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Slack, hacking)