Slack quickly squashed a potential account hijack bug hours after it was reported.
Frans Rosén, a security researcher at Detectify, discovered a vulnerability in Slack that created a means for a malicious website to steal a user's Slack token, potentially seizing control of their account in the process. Slack fixed the bug in five hours after Rosén reported it through bug bounty outfit HackerOne last Friday. The security researcher earned $3,000 for his work.
In a statement, Slack said subsequent inquiries revealed that the flaw was never actually abused.
@fransrosen [Rosén] discovered a vulnerability which would allow an attacker running a malicious site to steal XOXS tokens. We resolved the postMessage and call-popup redirect issues, and performed a thorough investigation to confirm that this had never been exploited.
Veteran security expert Graham Cluley praised Slack's prompt response to fix a flaw that, left unresolved, might have been abused in targeted attacks but not in mass compromises. "[A potential attack] methodology really requires a Slack user to be specifically targeted, and for that targeted user to click on a link or deliberately visit a booby-trapped webpage, containing the code that begins the attack," he said. ®