Slack finally discloses the RCE flaws in its desktop app
Security engineer Oskars Vegeris of Evolution Gaming disclosed multiple vulnerabilities in Slack allowing attackers to upload a file and share with another Slack user or channel to trigger the exploit on the victims’ Slack App.
The shared the detailed written up privately with Slack in January 2020 where extensive details on the vulnerability is mentioned. As per the researcher, “With any in-app redirect – logic/open redirect, HTML or javascript injection it’s possible to execute arbitrary code within Slack desktop apps. This report demonstrates a specifically crafted exploit consisting of an HTML injection, security control bypass and a RCE Javascript payload. This exploit was tested as working on the latest Slack for desktop (4.2, 4.3.2) versions (Mac/Windows/Linux).”
Vegeris provided a 5-second demo video with HackerOne writeup showed how he used a JSON file to trigger launching a native calculator application via Slack desktop app. This report made public by the company this week. It shows multiple ways that engineer listed to exploit the Slack app.
This exploit results into arbitrary code execution form user’s computer and not the Slack’s backend. Weaknesses in Files.Slack.com code allow an attacker to achieve HTML injection, arbitrary code execution and cross-site scripting.
Vegeris’s posted just one HTML/JavaScript Proof-of-Concept exploit shows how it is easy to launch the native calculator app by uploading the payload to slack.
When URL to this HTML file is injected to the area of the tag of the Slack JSON post representation would enable one-click-RCE on the device. The engineer stated, “The URL link within the area tag would contain this HTML / JS exploit for Slack Desktop apps which executes any attacker provided command.”
Vegeris, in another comment said, “Previously reported keylogging might also be applicable,” refer with the bug report filed in Matt Langlois in 2019.
For the findings, the engineer was only rewarded measly $1,750. Many a twitter handles say the engineer would earn more than $1,750 if he sold the exploit on illicit dark web markets. There are various instances of users lashing out at Slack, such as this one:
Daniel Cuthbert, hacker and co-author of the OWASP ASVS standard said in a Twitter thread, “Slack, used by millions and millions for mission-critical design chats, DevOps, security, mergers, and acquisitions, hell the list is endless. The flaws found by this researcher result in the execution of arbitrary commands on user’s computer. The TL;DR is wow.”
Cuthbert pleaded Slack to pay properly: “For all that effort, they got awarded $1750. Seventeen Hundred and FIFTY bucks. @SlackHQ firstly the flaws are a rather large concern, I mean validation is hard but come on, then pay properly, please. Because this would be worth much more on exploit.in.”
The company even had forgotten to credit Vegeris in a promotional blog post released two month ago. Further, rather than disclosing the vulnerability details, the company celebrated its app sandbox feature that time.
This is when Vegeris requested HackerOne for the public disclosure of the findings, the company started sincere apology.
Ryder’s report says, “My name is Larkin Ryder and I am currently serving as the interim Chief Security Officer here at Slack. @brandenjordan made me aware of this misstep and I am writing to convey very sincere apologies for any oversight in crediting your work. We very much appreciate the time and effort you’ve invested in making Slack safer.”
He continued, “While the security team didn’t author this blog post and the author has no visibility to your work in H1, we should make the extra steps to ensure all who contributed to improvement efforts in this area are recognized. I will investigate making appropriate updates to our blog post … Again, I am very sorry for any misstep on our part.”
At current, those vulnerabilities are patched. It was a little over five weeks after the report.
