Recently-patched bug could allow attackers to access private conversations
The bug in the desktop application was discovered by researcher oskarsv, who reported the flaw through Slack’s HackerOne bug bounty program.
However the billion-dollar company has been slammed for offering what critics have described as a low payment for a high severity bug.
By leveraging the flaw, which has now been fixed, attackers could gain access to a users’ private conversations and passwords, among other information.
The RCE bug was rated between nine and 10 on the CVSS scale.
The researcher also reported a lesser cross-site scripting (XSS) vulnerability leading to HTML injection in Slack. XSS payloads are out of scope for the company’s program, and therefore were not eligible for a separate report.
They wrote: “The vulnerability in my opinion is critical by itself and should be fixed either way.”
The company paid $1,750 as a reward, a move that was criticized on Twitter.
“I hope at least in future, programs pay good bonus amount for exceptional bugs. If their bounty table is on the lower side,” @Ron_Fury wrote.
“An 18 billion dollar company paying less than $2k for a critical RCE is a disgrace,” @el__hijo added.
The XSS vulnerability could lead to HTML injection, oskarsv warned. They wrote: “During search for an entry point for the RCE exploit, it was discovered that emails (when sent as plaintext) are stored unfiltered on Slack servers at https://files.slack.com and with direct access returned as text/html, without force-download.
“This HTML file upload functionality can be used for storing the RCE payload – no need to use own hosting.”
They added: “Any email client can be used, i.e. in macOS’s default client you can press CMD+SHIFT+T to make an email plaintext, copy paste the RCE payload from above and embed it in your Slack Post HTML injection.”
Slack has fixed the bug in desktop version 4.4.0.