If you ever wake up feeling kind of down, just take a second to remember that you share your most private secrets, your company’s intellectual property, and your dog’s digestive issues over online chat. Then take another second to think about how even apps that take user security seriously can be breached, as a recent (and recently patched) Slack vulnerability proves. That feeling you’re feeling now? Deep relief that your latest backchannel smack-talk isn’t out there, exposed on the great wide internet.
On Tuesday, Slack disclosed a now-patched vulnerability in its browser application. Frans Rosén, a researcher at the web security company Detectify, submitted it to Slack’s bug bounty program in mid-February. If exploited, the vulnerability would allow an attacker to log into a Slack account as if they were the legitimate user of the account. From there, the attacker would have full access to look at chat histories, shared files, and any other group chats/channels the user had access to. It wouldn’t be good.
A configuration flaw in how Slack communicates with other domains caused the bug. When one website tries to access and communicate with another, some components (anything from sensitive data to fonts) may be restricted, so that they’re not automatically shared across the whole web. To coordinate appropriate resource sharing, websites use interfaces like the PostMessage function and WebSocket protocol to communicate. Rosén was able to create a webpage that could manipulate Slack’s implementation of these mechanisms. If a Slack user clicked Rosén’s malicious page, he could redirect the user’s Slack WebSocket (a sort of data tunnel) to his own WebSocket, and steal the user’s secret Slack authentication token. Also called a session token, it’s the emblem that forms when a user authenticates herself by logging into a service. Once an attacker stole an active session key, they would be able to access the Slack user’s full account, as if the user had voluntarily entered their username and password for the attacker. Even if Slack implemented end-to-end encryption this attack would still work, because it allows the attacker to impersonate the legitimate user after decryption has taken place.
Once it received Rosén’s submission, Slack says that it patched the vulnerability within five hours, and then went back through its logs in detail to check for evidence that the bug had previously been exploited by a malicious actor. Thankfully, the search came up empty. “This bug is exactly why we invest in our public bug bounty program,” says a Slack spokesperson. “The added brainpower of the developer and security communities is invaluable in keeping the service safe for everyone.”
Hopefully no one, given how quickly Slack patched the vulnerability and the clean back-check of the logs. But Slack has over 4 million active users trading juicy gossip every day. Since this vulnerability would have allowed an attacker to gain full access to user accounts and total control over them (as long as the session token remained valid) a lot of extremely valuable data was potentially at risk. And the access this vulnerability could have granted means that even implementing full end-to-end encryption for user data, which Slack doesn’t currently offer, wouldn’t have protected users from this particular attack.
One of the reasons for researching and disclosing this bug, according to Rosén, is the need to raise awareness about these types of WebSocket and PostMessage vulnerabilities. “I saw a trend,” he says. “I wanted to show a good example of how bad it could get.”
The conditions that allow for this attack aren’t present in every web application and are also easily preventable in most cases. But that’s why learning from these types of incidents is so crucial. “Not everything is going to be vulnerable to this issue, but it’s pretty interesting,” says Alex McGeorge, head of threat intelligence at the security firm Immunity Inc. “I think [Rosén] is right. There are going to be more vulnerabilities like this.”
If nothing else, take it as a valuable reminder that what you say online may not stay private forever. In fact, it’s probably best to assume that it won’t.