fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Slack Pays Stingy $1,750 Reward For A Desktop Hijack Vulnerability

https://open.spotify.com/show/3Gmj15x6cGrgJEzmGnDTTj?si=nytzAjvSR4qBqTbLP6pgKA

Slack Pays Stingy $1,750 Reward For A Desktop Hijack Vulnerability

Slack

A researcher responsibly disclosed multiple vulnerabilities to Slack that allowed an attacker to hijack a user’s computer, and they were only rewarded a measly $1,750.

Using these vulnerabilities, an attacker could simply upload a file and share with another Slack user or channel to trigger the exploit on a victim’s Slack app.

In his detailed writeup shared privately with Slack in January 2020, security engineer Oskars Vegeris of Evolution Gaming shared extensive details on the vulnerability.

“With any in-app redirect – logic/open redirect, HTML or javascript injection it’s possible to execute arbitrary code within Slack desktop apps. This report demonstrates a specifically crafted exploit consisting of an HTML injection, security control bypass and a RCE Javascript payload. This exploit was tested as working on the latest Slack for desktop (4.2, 4.3.2) versions (Mac/Windows/Linux),” said Vegeris.

A 5-second video demo Vegeris provided with the HackerOne writeup showed how he used a JSON file to trigger launching a native calculator application via Slack desktop app:https://player.vimeo.com/video/453044483

 

Multiple critical vulnerabilities

The HackerOne report made public by the company this week shows the engineer listing multiple ways in which Slack apps can be exploited.

The end result of the exploit would be arbitrary code execution on the client’s side i.e. user’s computer, not Slack’s backend.

An attacker could achieve HTML injection, arbitrary code execution, and also Cross-Site Scripting (XSS) due to inherent weakness in the files.slack.com code.

Just one HTML/JavaScript Proof-of-Concept (PoC) exploit posted by Vegeris shows how easy it is to launch the native calculator app, or anything else they’d like, by uploading the payload to Slack.

URL to this HTML file when injected in the area tag of a Slack JSON post representation would enable a “one-click-RCE” on the user’s machine.

“The URL link within the area tag would contain this HTML / JS exploit for Slack Desktop apps which executes any attacker provided command,” stated the engineer.

Slack remote code execution PoC
Slack remote code execution Proof-of-Concept (PoC) exploit
Source: HackerOne

In yet another comment, Vegeris said, “Previously reported keylogging might also be applicable,” referring to a 2019 bug report filed by Matt Langlois.

Also read: PDP Act (Personal Data Protection Act) Laws and Regulation

 

That’s a bounty?

The fact that Vegeris walked away with a mere $1,750 bug bounty after putting in a lot of time towards the responsible disclosure did not sit well with the infosec. community.

The general consensus on Twitter is, a $20 billion company Slack building messaging app used by major corporations, would’ve faced severe consequences had an exploit of this kind be sold on illicit dark web markets (which would’ve earned the engineer well more than $1,750).

Twitter criticizes Slack for low bounty
Twitter mocking Slack for paying a $1,750 bounty to the engineer who had responsibly reported critical flaws
Source: Twitter

Mashable reported further such instances of users lashing out at Slack, such as this one:

Daniel Cuthbert, hacker and co-author of the OWASP ASVS standard said in a Twitter thread, “Slack, used by millions and millions for mission-critical design chats, DevOps, security, mergers, and acquisitions, hell the list is endless. The flaws found by this researcher result in the execution of arbitrary commands on user’s computer. The TL;DR is wow.”

Cuthbert pleaded Slack to “pay properly” for reports like these, as such exploits would sell for much more on black markets.

“For all that effort, they got awarded $1750. Seventeen Hundred and FIFTY bucks. @SlackHQ firstly the flaws are a rather large concern, I mean validation is hard but come on, then pay properly, please. Because this would be worth much more on exploit.in.”

In a promotional blog post released by Slack two months ago which celebrated its “app sandbox” feature, rather than disclosing the vulnerability details that led to its development, the company had also forgotten to credit Vegeris (this is now corrected).

That is when Vegeris requested a public disclosure on HackerOne this week, which invited a sincere apology from Slack. 

“My name is Larkin Ryder and I am currently serving as the interim Chief Security Officer here at Slack. @brandenjordan made me aware of this misstep and I am writing to convey very sincere apologies for any oversight in crediting your work. We very much appreciate the time and effort you’ve invested in making Slack safer,” stated Ryder in the report.

“While the security team didn’t author this blog post and the author has no visibility to your work in H1, we should make the extra steps to ensure all who contributed to improvement efforts in this area are recognized. I will investigate making appropriate updates to our blog post … Again, I am very sorry for any misstep on our part,” Ryder continued, thanking the engineer.

The proprietary business communication platform, Slack brags about having over 10,000,000 daily active users and is a recognizable brand among many workplaces.

While Slack may have patched the vulnerabilities in a little over five weeks of the report, cases like these underscore the potential damage that can arise from messaging apps as they keep growing their feature list (e.g. file uploads) and customer numbers, should there be a security weakness.

Also read: Top 10 Best Freelance Testing Websites That Will Pay You

https://www.youtube.com/watch?v=30eI59FlBdk

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us