A bug in the popular Slack application could be exploited by attackers to steal an access token and take over a user account.
A serious flaw in the popular work chat application Slack could be exploited to take over a user account.
![](data:image/svg+xml;charset=utf-8,<svg height="456px" width="630px" xmlns="http://www.w3.org/2000/svg" version="1.1"/>)
The vulnerability was discovered by bug bounty hunter Frans Rosen who demonstrated that is possible to steal Slack access tokens to impersonate a user. The flaw resides in the way the Slack application communicates data in an internet browser.
“I was able to create a malicious page that would reconnect your Slack WebSocket to my own WebSocket to steal your private Slack token. Slack fixed the bug in 5 hours (on a Friday) and paid me $3,000 for it.” reads a blog post published by Rosen.
Slack leverages on the technology called postMessage that safely enables cross-origin communication.
Normally, scripts running on different web pages can access each other only if the pages are accessible through the same protocol (i.e. Both https), port number (443 is the default for https), and host (module Document.domain being set by both pages to the same value).
“Using window.addEventListener(‘message’, func) and window.postMessage() to pass messages is a really convenient way of performing Cross-Origin communication. However, the biggest pitfall (which we’ve covered multiple times before) is not checking the origin of the message.” explained Rosen.
Slack uses postMessage everytime it opens a new window to enable a voice call.
The Slack implementation of the postMessage lack of validation for the origin of all data exchanged between separate windows.
“Not validating them was a clear indication to me that I could start do fun stuff, like accessing the functions using postMessage to this window from another window I controlled.” added Rosen.
Once discovered the flawed implementation, the researcher demonstrated how to exploit the bug to steal a user’s access token.
Basically, he exploited the fact that if a user has a browser window, and open a new window by clicking on a link, those two windows can communicate each other through postMessage.
At this point, Rosen created a malicious page that is able to hijack the Slack application.
Below a video PoC of the hack in which the malicious webpage opens a Slack window that then forces a victim’s account to handover the access token:
[adrotate banner=”9″]
Pierluigi Paganini
(Security Affairs – Slack, hacking)
Pierluigi Paganini Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.
