Slack only took five hours to fix bug that could have allowed hackers to hijack your account

Frans Rosén, a security researcher at Detectify, has been awarded $3,000 from Slack after uncovering a serious vulnerability that could have helped hackers to seize control of users’ accounts.

As Threatpost reports, Rosén discovered flaws in Slack’s code that ultimately lead to a method of stealing a user’s private token, and gaining unauthorised access to accounts:

The researcher eventually came up with an exploit that allowed him to steal Slack tokens. To get this done, he built a malicious page specifically designed to pick up and store your token. When clicked, the malicious page proceeds to open a Slack call, which in turn initiates a WebSocket reconnect pointed at his rogue server.

Sign up to our free newsletter.
Security news, advice, and tips.

Of course, this methodology really requires a Slack user to be specifically targeted, and for that targeted user to click on a link or deliberately visit a boobytrapped webpage, containing the code that begins the attack.

Nonetheless, this isn’t the type of vulnerability that any security-conscious software firm wants lying around waiting to be abused, and Rosén praised Slack’s response for… err… not being slack in its response.

I sent the report to Slack on a Friday evening. They responded 33 minutes after my initial report and had a fix out 5 hours after that. Amazing.

I agree. It’s a great response that should set an example for other technology companies. And, remember, this was on a Friday afternoon.

Found this article interesting? Follow Graham Cluley on Bluesky or Mastodon to read more of the exclusive content we post.

---