Slack managed to dodge a major flaw that had the users vulnerable to threat.
Slack could have been in serious trouble had it not managed to fix a major hiccup.
The tool that is used for technical communications was reported to have been exposed to a critical vulnerability. This flaw was reported by tech workers, D&D fans and journalists has been now fixed. It could have been catastrophic had the hackers got their hands on the users’ computers. Internal security staff of the slack failed to even trace the bug. Instead the bug was reported by a third-party security via the bug bounty platform HackerOne in the month of January.
Remarkably, the bug would allow for something called as “remote code execution”. Which is not a very good thing for the systems. If any hacker got through the users’ systems before the bug was fixed it could have been a serious damage. And not get access to files, passwords, keys, internal work access, the users secrets and also access to the private conversations of Slack users. That’s not all as per the disclosure, malicious hackers could possibly made a wormable attack. In simple words It would have meant that if one user of a team is attacked. The account would automatically re-share the payload to all the other users which is dangerous.
Reporting this vulnerability is not an easy task and requires several hours of research. The security researcher needs to be applauded as he has done this. This bug has been rightly reported to the Slack through HackerOne. Which resulted in a bug bounty payment of $1,750 for the security researcher who has the HackerOne handle as oskars.
Also See: For the first time this year LG develops awesome Hi-tech Air purifier Mask.
Obviously they could have sold it to a third party exploit broker for much more money if the security researcher wanted. There are companies who are willing to offer huge money to buy the zero day exploits and in turn those are sold to the government.
Some of the members of the computer security community were quick enough to voice their disagreement about such a significant bug getting a paltry payment.
When slack was approached to find out how it decides the size of the bug bounty payouts and if it had heard about the disagreements of the members of the computer security community regarding the payout and how it is going to respond to the criticism. A spokesperson of the company responded saying that there is no fixed amount for the bug bounty payouts.
The spokesperson of the company wrote that they have a critical bug bounty program in order to safeguard slack. The company appreciates the contributions of the developer and security communities. Slack will be regularly reviewing the payout system to make sure the company appreciates their work and creates a value for their clients.
It was in February 2020 the company had implemented an initial fix said the spokesperson.
Interestingly, for coordinated disclosures slack seems to have increased the amount it wants to pay the bug bounty researchers. When we take a look at the profile page of HackerOne the vulnerability of the remote code execution can be seen. This will be worth in excess of $5000.
Its time up for oskars, but perhaps the next set of security researchers will feel encouraged when they report a bug in slack and report it to the company. We might see this happening for the sake of the users of slack all over the world.
