• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
Critical Slack Bug Lets Accessibility To Private Channels, Conversations

Critical Slack Bug Lets Accessibility to Private Channels, Conversations

You are here: Home / Latest Cyber Security Vulnerabilities / Critical Slack Bug Lets Accessibility to Private Channels, Conversations
August 31, 2020

The RCE bug impacts variations below 4.4 of the Slack desktop application.

A critical vulnerability in the preferred Slack collaboration application would make it possible for remote code-execution (RCE). Attackers could attain complete distant command more than the Slack desktop app with a prosperous exploit — and so obtain to personal channels, discussions, passwords, tokens and keys, and several capabilities. They could also probably burrow further more into an inside network, based on the Slack configuration, in accordance to a security report.

The bug (rated in between 9 and 10 on the CvSS vulnerability-severity scale), was disclosed on Friday, and involves cross-internet site scripting (XSS) and HTML injection. Slack for Desktop (Mac/Windows/Linux) prior to variation 4.4 are susceptible.

✔ Approved Seller From Our Partners
Mullvad VPN Discount

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).

➤ Get Mullvad VPN with 12% Discount



“With any in-application redirect-logic/open up redirect, HTML or JavaScript injection, it is achievable to execute arbitrary code inside Slack desktop apps,” wrote a bug-hunter likely by the deal with “oskarsv,” who submitted a report on the bug to Slack through the HackerOne system (earning $1,500). “This report demonstrates a exclusively crafted exploit consisting of an HTML injection, security handle bypass and a RCE JavaScript payload.”

In accordance to the disclosed technological writeup, attackers could bring about an exploit by overwriting Slack desktop application “env” features to generate a tunnel by way of BrowserWindow to then execute arbitrary JavaScript, in what is “a strange XSS case,” he mentioned.

Specialized Facts

To exploit the bug, attackers would need to upload a file to their own HTTPS-enabled server with a payload then, they could prepare a Slack write-up with an HTML injection containing the attack URL pointing to that payload (hidden in an picture). Following that, they need to have only to share that article with a community Slack channel or person. If a user clicks on the booby-trapped impression, the code will be executed on the victim’s equipment.

As for accomplishing the HTML injection, the issue lies in the way Slack posts are produced, according to the researcher.

“[Creating a post] makes a new file on https://information.slack.com with [a specific] JSON structure,” in accordance to the writeup. “It’s achievable to straight edit this JSON structure, which can incorporate arbitrary HTML.”

oskarsv additional, “JavaScript execution is restricted by Content Security Plan (CSP) and numerous security protections are in place for HTML tags (i.e. banned iframe, applet, meta, script, sort and so on. and concentrate on attribute is overwritten to _blank for A tags). Nonetheless, it is continue to attainable to inject space and map tags, which can be employed to attain a a single-click on-RCE.” He further spelled out that the URL hyperlink to the malicious payload could be published inside the spot tag.

Alternatively, oskarsv also identified that e-mails (when sent as plaintext) are stored unfiltered on Slack servers – a predicament that can be abused in purchase to store the RCE payload without the need of attackers needing to individual their very own hosting.

“Since it’s a trustworthy domain, it could have a phishing page with a pretend Slack login website page or various arbitrary written content which could impression both security and name of Slack,” he stated. “There are no security headers or any limits at all as far as I could tell and I’m guaranteed some other security influence could be shown with adequate time.”

Regardless of technique, exploits can be used to execute any attacker-delivered command, in accordance to the researcher.

“The payload can be effortlessly modified to accessibility all non-public discussions, documents, tokens and many others., devoid of executing instructions on the user’s laptop or computer,” he wrote, “[or] accessibility to private documents, private keys, passwords, tricks, inside network access, and many others.”

Even further, the payload could be designed “wormable” so that it re-posts to all person workspaces, the researcher included.

End users must make absolutely sure their Slack desktop applications are upgraded to at the very least variation 4.4 in buy to stay clear of assaults. The bug was patched in February, but has just now been disclosed due to the fact of a HackerOne disclosure hiatus on all bugs, which was in influence for various months.

On Wed Sept. 16 @ 2 PM ET: Learn the secrets to functioning a thriving Bug Bounty System. Resister today for this FREE Threatpost webinar “Five Necessities for Operating a Productive Bug Bounty Program“. Hear from top Bug Bounty Program experts how to juggle general public vs . non-public courses and how to navigate the tricky terrain of running Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this LIVE webinar.

Previous Post: «How, And When, To Divvy Consequences To Workforce For Breaching How, and when, to divvy consequences to workforce for breaching security policy
Next Post: Android Consumers Bugged by Phony Popups Cyber Security News»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • Fortinet Releases Patch for Critical SQL Injection Flaw in FortiWeb (CVE-2025-25257)
  • PerfektBlue Bluetooth Vulnerabilities Expose Millions of Vehicles to Remote Code Execution
  • Securing Data in the AI Era
  • Critical Wing FTP Server Vulnerability (CVE-2025-47812) Actively Being Exploited in the Wild
  • Iranian-Backed Pay2Key Ransomware Resurfaces with 80% Profit Share for Cybercriminals
  • CISA Adds Citrix NetScaler CVE-2025-5777 to KEV Catalog as Active Exploits Target Enterprises
  • Critical mcp-remote Vulnerability Enables Remote Code Execution, Impacting 437,000+ Downloads
  • Fake Gaming and AI Firms Push Malware on Cryptocurrency Users via Telegram and Discord
  • Four Arrested in £440M Cyber Attack on Marks & Spencer, Co-op, and Harrods
  • What Security Leaders Need to Know About AI Governance for SaaS

Copyright © TheCyberSecurity.News, All Rights Reserved.