WebRTC chat configuration snafu resolved

Open TURN proxy gave access to Slack's infrastructure

Security researchers have earned $3,500 after identifying flaws in Slack’s web infrastructure that allowed unauthorized access to internal services.

The security weakness arose because Slack’s TURN server permitted the relaying of TCP connections and UDP packets to the internal Slack network and metadata services on Amazon Web Services, a write-up by security researchers at Enable Security explains.

Traversal Using Relays around NAT (TURN) is a protocol that enables multimedia applications (voice or video) to work across firewall or other network security elements that make use of network address translators (NAT).

The TURN servers set up by Slack mistakenly allowed TCP connections and UDP packets to be proxied to the internal network. “This gives an attacker the ability to scan and interact with internal systems,” Enable Security’s Sandro Gauci writes in a bug submission through HackerOne.

“By abusing this feature an attacker will be able to read and potentially modify sensitive information in Slack’s internal infrastructure,” Gauci explains.

“Typically, this security vulnerability has at least the same impact as an SSRF (Server-Side Request Forgery). However, it is considered more useful from an attacker’s point of view since attacks are not restricted to HTTP.”

The range of Slack services exposed by this security weakness – best classified as an Open TURN proxy – include metadata, localhost, and network services.

Enable Security worked with Slack to remedy the security configuration weakness, which was resolved long before the security consultancy decided to go public with its findings.

The security firm told The Daily Swig that Slack’s configuration errors offered lessons for other organizations.

“My advice is specific to WebRTC [Web Real-Time Communication] infrastructure: don’t forget to harden your TURN server,” a representative of Enable Security explained.

“In many cases, we think it could be put in a separate network (or security zone) so that it has no access to internal resources, reducing the impact of the issue.”

Enable Security specialises in VoIP, WebRTC, and real-time communications security.

RELATED Remote working security: Thousands of misconfigured Atlassian instances ripe for unauthorized access