The researcher Evan Custodio discovered a critical vulnerability in Slack that could have allowed attackers to launch automate account takeover.
Slack addressed the vulnerability within 24 hours it was reported by the researcher, the company rewarded Custodio with a $6,500 bounty.
Custodio “exploited an HTTP Request Smuggling bug on a Slack asset to perform a CL
The expert explained that the bug is extremely critical not only for Slack, but also for all customers and organizations which share their
“So it is my opinion that this is a severe critical vulnerability that could lead to a massive data breach of a majority of customer data. With this attack it would be trivial for a bad actor to create bots that
An attacker could have exploited this issue to create automated bots that are able to access a victim’s Slack session and steal sensitive data.
As Custodio further explained in his detailed write-up, the bug chain that allowed him to steal
Below the bug chain reported in the bug report:
dsession cookies and steals any/all
The bug could allow stealing cookies and used them into a browser to take over the account.
“This hijack forced the victim into an open-redirect that forwarded the victim onto the researcher’s collaborator client with slack domain cookies.” explained the expert.
“The posted cookies in the customer request on the
Slack also addressed another issue, which would allow an attacker running a malicious site to steal XOXS tokens and gain full control over victims’ accounts.
The flaw was reported by the researcher Frans Rosen that received a $3,000 bounty.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.