Communication office Slack platform is known for being easy to use and intuitive. But the company speak on Friday that one of its low-friction features contained a flaw, which has now been fixed, that exposed the encrypted versions of some users to obfuscation.
When a user creates or revokes a link — called a “shared invite link” — that others can use to sign up for a certain Slack workspace, the command also inadvertently transmits the hashed password. of the creator links to other members of that workspace. The vulnerability affected the passwords of anyone who created or deleted a shared invite link over a 5-year period, from April 17, 2017 to July 17, 2022.
Slack, that’s now own by Salesforce, says a security researcher disclosed the bug to the company on July 17, 2022. Wrong passwords don’t show up anywhere in Slack, the company notes, and can only be caught by someone actively monitoring the relevant encrypted network traffic from Slack’s server. While the company said it’s unlikely the actual contents of any passwords were compromised due to the vulnerability, it announced the impact on users on Thursday and forced password resets for all. surname.
Slack said the situation affected about 0.5% of users. In 2019 the company speak it has more than 10 million daily active users, which means about 50,000 notifications. To date, the company could have almost doubled that number of users. Some users whose passwords were exposed over the course of 5 years may still not be Slack users today.
“We immediately took steps to implement a fix and release the update the same day the bug was discovered, on July 17, 2022,” the company said in a statement. “Slack has notified all affected customers and the passwords for affected users have been reset.”
The company did not respond to questions from WIRED at press time about what hashing algorithm it used on the passwords or whether the incident prompted broader reviews of its password management architecture. of Slack or not.
“Unfortunately in 2022, we are still seeing obvious errors as a result of failed threat modeling,” said Jake Williams, director of cyber threat intelligence at security firm Scythe. . “While apps like Slack certainly do security checks, bugs like this that only appear in edge case functionality are still missed. And obviously, the stakes are high when it comes to sensitive data like passwords.”
This situation highlights the challenge of designing flexible and usable web applications, while limiting access to highly valuable data such as passwords. If you get a notification from Slack, change your password and make sure you have two-factor authentication turned on. You can also view the access log for your account.
