It only took the developers of the Slack team collaboration tool five hours to patch a critical vulnerability that could have been exploited to steal a user’s private token and gain access to their account.
The security hole was identified by Detectify researcher Frans Rosén, who discovered that an attacker can steal a user’s token by getting them to access a specially crafted webpage.
The attack method targeted the xoxs token, which provides complete access to a user’s Slack account. A malicious hacker could have obtained this token by creating a page that reconnected the victim’s Slack WebSocket to their own WebSocket.
The vulnerability was reported by Rosén on February 17 and it was patched by Slack developers within five hours. The researcher, who currently has the second highest number of reputation points in Slack’s HackerOne bug bounty program, has been awarded $3,000 for his work.
Slack said it performed a thorough investigation to ensure that the vulnerability was never exploited for malicious purposes. Rosén has made available detailed technical information and a video demonstrating the attack.
Last year, Detectify warned that many developers had unknowingly leaked their Slack tokens on GitHub, exposing business-critical and other sensitive information. Experts identified more than 1,500 tokens at the time.
Slack has so far paid out more than $200,000 through its bug bounty program, including $9,000 to researcher David Vieira-Kurz for a couple of serious vulnerabilities that could have been leveraged to obtain sensitive information and take over user accounts.