Slack and ?? ??? ??its scores of desktop app users just dodged a major bullet.
The communications tool relied upon by journalists, tech workers, and D&D fans alike disclosed on Friday a "critical" vulnerability — now fixed — that would have let hackers run wild on users' computers. Slack's internal security team didn't even find the bug; rather, it was a third-party security researched who reported it, through the bug bounty platform HackerOne in January.
Notably, the exploit allowed for something known as "remote code execution," which is just as bad as it sounds. Before Slack fixed it, an attacker using the exploit could have done some pretty wild stuff, such as gaining "access to private files, private keys, passwords, secrets, internal network access etc.," and "access to private conversations, files etc. within Slack."
What's more, according to the disclosure, maliciously inclined hackers could have made their attack "wormable." In other words, if one person in your team got infected, their account would automatically re-share that dangerous payload to all their colleagues.
It's worth emphasizing that the security researcher who discovered this vulnerability — a process that takes untold hours of work and is a literal job — decided to do what many would consider the right thing and report it to Slack via HackerOne. For the security researcher, whose HackerOne handle is oskars,this resulted in a bug bounty payment of $1,750.
Of course, had that person wanted, they could have likely gotten much, much more money by selling it to a third-party exploit broker. Companies like Zerodium, which offer millions of dollars for zero-day exploits, in turn sell those exploits to governments.
Members of the computer security community were quick to point out the relatively paltry payout for such an important bug.
This Tweet is currently unavailable. It might be loading or has been removed.
This Tweet is currently unavailable. It might be loading or has been removed.
This Tweet is currently unavailable. It might be loading or has been removed.
We reached out to Slack in an effort to determine how it decides the size of its bug bounty payments, and whether or not it had a response to the criticism levied by members of the security community. In response, a company spokesperson replied that the amount Slack pays for bug bounties is not fixed in stone.
"Our bug bounty program is critical to keeping Slack safe," the spokesperson wrote in part. "We deeply value the contributions of the security and developer communities, and we will continue to review our payout scale to ensure that we are recognizing their work and creating value for our customers."
The spokesperson also noted that the company "implemented an initial fix by February 20."
SEE ALSO: 7 Slack privacy settings you should enable now
Interestingly, Slack does appear to have upped the amount it's willing to pay bug bounty researchers for coordinated disclosure. A look at its HackerOne profile page shows that, as of the time of this writing, reporting a remote code execution vulnerability would merit "$5000 and up."
Too late for oskars, but perhaps that will encourage the next security researcher who discovers a critical vulnerability in Slack to report it to the good guys. We should hope so, for the sake of Slack users everywhere.
UPDATE: Aug. 29, 2020, 1:49 p.m. PDT: This story has been updated to include Slack's statement.
Topics Cybersecurity
The sun's poles have flipped. A spacecraft is watching what happens next.
Hugging Face's new humanoid robot only costs $3,000
China investigates NVIDIA for alleged antitrust violations · TechNode
TSMC boosts 2nm test chip yield by 6%, potentially saving billions for clients · TechNode
В PUBG, inZOI и других играх появятся ИИ
BYD EV plant construction in Turkey won’t be delayed, gov says · TechNode
BYD reportedly sets up new team to work on AI algorithms, supercomputing · TechNode
Spectacular Webb telescope image shows a stellar death like never before
NASA's Perseverance rover just had a close call on Mars
XREAL launches new AR glasses XREAL One with native 3DoF spatial tracking · TechNode
Cat gets petty revenge by pushing another cat in the pool
Mate 70 series features 100% domestically produced chips: Huawei exec · TechNode
NASA rover finds weird, "mysterious" object on Mars
China investigates NVIDIA for alleged antitrust violations · TechNode
A NASA rover just exposed something on Mars that eluded orbiters
My first orgasm: In order to get off, I had to log off
Black Myth: Wukong nominated for Game of the Year at 2024 Steam Awards · TechNode
WeChat bans 209 accounts allegedly using AI to impersonate public figures · TechNode
The Weird World of AI Hallucinations
General Motors says its China business is on a recovery path · TechNode
Google's Cloud Print service will shut down for good in 2020Bird bets eHow to track your period using iOS 13 on an iPhone or Apple WatchFacebook launched a memeHow Hans Zimmer designed the sounds of a BMW electric vehicleEverything coming to Netflix in December 2019Greta Gerwig’s 'Little Women' is a beautiful story told well (review)It didn't take long for Disney+ passwords to be stolenIt's on: Tesla Cybertruck and Ford FHey, Disney+ people. You should give 'Flight of the Navigator' a shot. Woman hung 10,000 rainbow Christmas lights to protest a homophobic neighbor Magic mushrooms ease anxiety in cancer patients, studies show The Kickstarter campaign that's making fidgeting sexy Hey people, it's time to vote for wildlife photographer of the year How it felt to not know Trump won the election for 2 whole weeks You're blocked! How to get The Donald to block you on Twitter When no one bought this mom's crafts, Twitter stepped up to help Please enjoy this endless hallway decorated with Jake Gyllenhaal's face Arianna Huffington is now selling ridiculous things like phone beds Amazon Prime Shipping: A Cost Analysis
0.155s , 9951.375 kb
Copyright © 2025 Powered by 【?? ??? ??】Enter to watch online.Slack fixes major vulnerability that left desktop users open to attack,
