This time Frans Rosén has been commissioned to inform the community of a new security flaw, this time in one of the applications commonly used by all types of businesses for their internal communications such as Slack.
According to the information provided by the Detectify security researcher, apparently Slack had an important vulnerability whereby a user with enough knowledge could have full access to both account and messages written by any other user of the platform.
Slack corrects a serious failure of security on your platform in a matter of days.
Once discovered the bug, Rosén was put in contact with the leaders of Slack to communicate it, something that has had a large effect since in a matter of days the bug has been patched so that already can not steal the token for authentication of a user to, subsequently, to become a pass by it.
For those who don’t know, the token generated by Slack serve for bots, scripts or other programs are integrated with the own Slack. It goes without saying that, if you manage to get this data, anyone can have access total to your account, equipment and messages you’ve sent or received.
Apparently and according to it has been published, this authentication token could be stolen by opening a malicious web page due to a bug in the version to the browser’s own platform of Slack. Apparently, and according to Rosén, failed to detect this failure while investigating a bug through him which could be hung calls to other people.
As final detail, let know you that after communicating this failure to Slack, no single platform could act quickly to solve the problem, but that they were also rewarded with 3,000 euros to Rosén to discover the fault.