This time it has been Frans Rosen the one in charge of warning the community of a new security breach, this time in one of the applications most used by all types of companies for their internal communications such as Slack.
According to information provided by the Detectify security researcher, Slack appeared to have a significant vulnerability whereby a user with sufficient knowledge could have full access to both account and messages written by any other user of the platform.
Slack fixes a serious security flaw on its platform in a matter of days.
Once the bug was discovered, Rosén contacted the leaders of Slack to communicate it, something that has had a great effect since in a matter of days the bug has been patched in such a way that the authentication token of a user can no longer be stolen so that, later, you can impersonate it.
For those who do not know, the tokens generated by Slack are used for bots, scripts or other programs to integrate with Slack itself. Needless to say, if you can get hold of this data, anyone can have full access to your account, teams and messages that you have sent or received.
Apparently and according to what has been published, this authentication token could be stolen when opening a malicious web page due to a flaw in the version for the browser of the Slack platform itself. Apparently, and according to comments Rosén was able to detect this failure while investigating a bug through which calls to other people could be hung.
As a final detail, tell you that after communicating this failure to Slack, the platform was not only able to act quickly to solve the problem, but also rewarded with $3.000 to Rosén for discovering the failure.