Why connect Slack?Īs one of the means of communication and data exchange within the company, Slack is prone to be a target for malicious actors. Slack is a widely used communication and collaboration app, and like other applications, it can host critical data, and be compromised by malicious users.
PDT: This story has been updated to include Slack's statement.Protect Slack using Microsoft Cloud App Securityįollowing popular demand, we are happy to publish our Slack app connector for Microsoft Cloud App Security! We should hope so, for the sake of Slack users everywhere. Too late for oskars, but perhaps that will encourage the next security researcher who discovers a critical vulnerability in Slack to report it to the good guys.
SLACK DESKTOP APP GOVERNMENT CODE
A look at its HackerOne profile page shows that, as of the time of this writing, reporting a remote code execution vulnerability would merit "$5000 and up." Interestingly, Slack does appear to have upped the amount it's willing to pay bug bounty researchers for coordinated disclosure. SEE ALSO: 7 Slack privacy settings you should enable now The spokesperson also noted that the company "implemented an initial fix by February 20." "We deeply value the contributions of the security and developer communities, and we will continue to review our payout scale to ensure that we are recognizing their work and creating value for our customers." "Our bug bounty program is critical to keeping Slack safe," the spokesperson wrote in part. In response, a company spokesperson replied that the amount Slack pays for bug bounties is not fixed in stone. We reached out to Slack in an effort to determine how it decides the size of its bug bounty payments, and whether or not it had a response to the criticism levied by members of the security community. Members of the computer security community were quick to point out the relatively paltry payout for such an important bug.Īmazing report. Companies like Zerodium, which offer millions of dollars for zero-day exploits, in turn sell those exploits to governments. Of course, had that person wanted, they could have likely gotten much, much more money by selling it to a third-party exploit broker. For the security researcher, whose HackerOne handle is oskars, this resulted in a bug bounty payment of $1,750. It's worth emphasizing that the security researcher who discovered this vulnerability - a process that takes untold hours of work and is a literal job - decided to do what many would consider the right thing and report it to Slack via HackerOne. What's more, according to the disclosure, maliciously inclined hackers could have made their attack "wormable." In other words, if one person in your team got infected, their account would automatically re-share that dangerous payload to all their colleagues. Before Slack fixed it, an attacker using the exploit could have done some pretty wild stuff, such as gaining "access to private files, private keys, passwords, secrets, internal network access etc.," and "access to private conversations, files etc. Notably, the exploit allowed for something known as "remote code execution," which is just as bad as it sounds. Slack's internal security team didn't even find the bug rather, it was a third-party security researched who reported it, through the bug bounty platform HackerOne in January. The communications tool relied upon by journalists, tech workers, and D&D fans alike disclosed on Friday a "critical" vulnerability - now fixed - that would have let hackers run wild on users' computers. Slack and its scores of desktop app users just dodged a major bullet.
0 kommentar(er)
