A serious flaw in the popular work chat application Slack could be exploited to take over a user account.
The vulnerability was discovered by bug bounty hunter Frans Rosen who demonstrated that is possible to steal Slack access tokens to impersonate a user. The flaw resides in the way the Slack application communicates data in an internet browser.
“I was able to create a malicious page that would reconnect your Slack WebSocket to my own WebSocket to steal your private Slack token. Slack fixed the bug in 5 hours (on a Friday) and paid me $3,000 for it.” reads a blog post published by Rosen.
Slack leverages on the technology called postMessage that safely enables cross-origin communication.
Normally, scripts running on different web pages can access each other only if the pages are accessible through the same protocol (i.e. Both https), port number (443 is the default for https), and host (module Document.domain being set by both pages to the same value).