A researcher fresh to the HackerOne bug bounty platform made their debut with a critical vulnerability in Slack that could be exploited for account takeovers.
The security flaw was reported by Evan Custodio on November 14, 2019. Custodio was able to find an HTTP Request Smuggling vulnerability on slackb.com.
This form of attack tampers with the processes sequences of HTTP requests within a website or app, generally when front-facing services send an HTTP request to a back-end server, and any disparity between how requests are interpreted can lead to data leaks and the bypass of existing security controls.
In Slack's case, the HTTP Request Smuggling vulnerability was found in an asset that could be used to force users into open redirects, leading to a CL.TE-based hijack and the theft of secret user session cookies. These cookies could then be stolen, leading to the compromise of arbitrary Slack customer accounts and sessions.
Custodio tested the vulnerability's scope using custom tooling and found that it was possible to automate the collection of "massive amounts" of session cookies and data.
"With this attack it would be trivial for a bad actor to create bots that consistently issue this attack, jump onto the victim session and steal all possible data within reach," the bug bounty hunter said.
The vulnerability has been awarded a CVSS severity score of 9.3.
As the Slack messaging platform is widely used in the enterprise, if this vulnerability was exploited in the wild, this could have led to severe security ramifications with the hijack of corporate users and the exposure of private company conversations.
The Slack team triaged and patched the "awesome finding" within 24 hours, leading to public disclosure on March 12, 2020.
Custodio was awarded $6,500 for his report. The researcher praised Slack's rapid response as "top-notch security."
Last year, Slack resolved a security issue in the Windows desktop client that could be abused to manipulate download links to replicate files on attacker servers, leading to data theft. The bug could be exploited whether or not an attacker was a member of a particular channel.
Previous and related coverage
- Avast AntiTrack certificate bug allowed others to snoop on your online activities
- NordVPN HTTP POST bug exposed customer information, no authentication required
- Backdoor malware is being spread through fake security certificate alerts
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0