Buy now

A Slack bug has exposed some users’ hashed passwords for 5 years

The office communication The Slack platform is known for being easy and intuitive to use. But the company said Friday that one of its low-friction features contained a now-fixed vulnerability that exposed cryptographically-encrypted versions of some users’ passwords.

When users created or revoked a link — known as a “shared invite link” — that others could use to sign up for a specific Slack workspace, the command also inadvertently sent the link creator’s hashed password to other members of that workspace. The error affected the password of anyone who created or deleted a shared invite link over a five-year period, between April 17, 2017 and July 17, 2022.

Slack, now owned by Salesforce, says a security researcher reported the bug to the company on July 17, 2022. The broken passwords were not visible anywhere in Slack, the company said, and could only have been discovered by someone actively monitoring relevant encrypted network traffic from Slack’s servers. Although the company says it’s unlikely that the actual contents of passwords were compromised as a result of the flaw, it notified affected users Thursday and forced password resets for everyone.

According to Slack, the situation affected about 0.5 percent of its users. In 2019, the company said it had more than 10 million daily active users, which would mean approximately 50,000 notifications. By now, the company may have nearly doubled that number of users. Some users whose passwords were exposed over the five years may not be Slack users today.

“We took immediate steps to implement a fix and released an update on the same day the bug was discovered, July 17, 2022,” the company said in a statement. “Slack has notified all affected customers and passwords for affected users have been reset.”

The company did not respond to questions from WIRED as of press time about what hashing algorithm it uses for passwords, or whether the incident has prompted broader reviews of Slack’s password management architecture.

“It’s unfortunate that in 2022 we’re still seeing bugs that are clearly the result of failed threat modeling,” said Jake Williams, director of cyber-threat intelligence at security firm Scythe. “While applications like Slack are definitely doing security testing, bugs like this, which only appear in edge cases, are still being overlooked. And of course there is a lot at stake when it comes to sensitive data like passwords.”

The situation underscores the challenge of designing flexible and usable web applications that also isolate and restrict access to high-value data such as passwords. If you received a notification from Slack, change your password and make sure you have two-factor authentication enabled. You can also view the access logs for your account.

. Tech News Click here

Subscribe to Our YouTube, Instagram and Twitter – TwitterYoutube and Instagram.

( Story and Image Credit – Source )

Related Articles

Leave a Reply

Stay Connected


Latest Articles