A serious flaw in the popular work chat application Slack could be exploited to take over a user account.
The vulnerability was discovered by bug bounty hunter Frans Rosen who demonstrated that is possible to steal Slack access tokens to impersonate a user. The flaw resides in the way the Slack application communicates data in an internet browser.
“I was able to create a malicious page that would reconnect your Slack WebSocket to my own WebSocket to steal your private Slack token. Slack fixed the bug in 5 hours (on a Friday) and paid me $3,000 for it.” reads a blog post published by Rosen.
Slack leverages on the technology called postMessage that safely enables cross-origin communication.
Normally, scripts running on different web pages can access each other only if the pages are accessible through the same protocol (i.e. Both https), port number (443 is the default for https), and host (module Document.domain being set by both pages to the same value).
“Not validating them was a clear indication to me that I could start do fun stuff, like accessing the functions using postMessage to this window from another window I controlled.” added Rosen.
Once discovered the flawed implementation, the researcher demonstrated how to exploit the bug to steal a user’s access token.
Basically, he exploited the fact that if a user has a browser window, and open a new window by clicking on a link, those two windows can communicate each other through postMessage.
At this point, Rosen created a malicious page that is able to hijack the Slack application.
Below a video PoC of the hack in which the malicious webpage opens a Slack window that then forces a victim’s account to handover the access token:
(Security Affairs – Slack, hacking)