EletiofeA Slack Bug Exposed Some Users’ Hashed Passwords for...

A Slack Bug Exposed Some Users’ Hashed Passwords for 5 Years

-

- Advertisment -

The office communication platform Slack is known for being easy and intuitive to use. But the company said on Friday that one of its low-friction features contained a vulnerability, now fixed, that exposed cryptographically scrambled versions of some users’ passwords. 

When users created or revoked a link—known as a “shared invite link”—that others could use to sign up for a given Slack workspace, the command also inadvertently transmitted the link creator’s hashed password to other members of that workspace. The flaw impacted the password of anyone who made or scrubbed a shared invite link over a five-year period, between April 17, 2017, and July 17, 2022.

Slack, which is now owned by Salesforce, says a security researcher disclosed the bug to the company on July 17, 2022. The errant passwords weren’t visible anywhere in Slack, the company notes, and could have only been apprehended by someone actively monitoring relevant encrypted network traffic from Slack’s servers. Though the company says it’s unlikely that the actual content of any passwords were compromised as a result of the flaw, it notified impacted users on Thursday and forced password resets for all of them. 

Slack said the situation impacted about 0.5 percent of its users. In 2019 the company said it had more than 10 million daily active users, which would mean roughly 50,000 notifications. By now, the company may have nearly doubled that number of users. Some users who had passwords exposed throughout the five years may not still be Slack users today.

“We immediately took steps to implement a fix and released an update the same day the bug was discovered, on July 17th, 2022,” the company said in a statement. “Slack has informed all impacted customers and the passwords for impacted users have been reset.”

The company did not respond to questions from WIRED by press time about which hashing algorithm it used on the passwords or whether the incident has prompted broader assessments of Slack’s password-management architecture.

“It’s unfortunate that in 2022 we’re still seeing bugs that are clearly the result of failed threat modeling,” says Jake Williams, director of cyber-threat intelligence at the security firm Scythe. “While applications like Slack definitely perform security testing, bugs like this that only come up in edge case functionality still get missed. And obviously, the stakes are very high when it comes to sensitive data like passwords.”

The situation underscores the challenge of designing flexible and usable web applications that also silo and limit access to high-value data like passwords. If you received a notification from Slack, change your password, and make sure you have two-factor authentication turned on. You can also view the access logs for your account.

Latest news

A New Tractor Jailbreak Rides the Right-to-Repair Wave

farmers around the world have turned to tractor hacking so they can bypass the digital locks that manufacturers impose...

VOLLEYBALL ROUNDUP: Holliday claims Bev Ball Classic championship

Size doesn’t matter. Ultimately, it’s all about heart and fight. Experience in big battles helps, too, and the Class...

Beatles tribute band off to Liverpool; sports betting in Raynham: Top Taunton stories

Before we begin the new week in earnest, we're taking a look back at the week that was, and...

Flaw in the VA Medical Records Platform May Put Patients at Risk

the U.S. Department of Veterans Affairs runs some interesting technology programs, but it's not known for being a flexible...
- Advertisement -

Kentucky’s John Calipari stands down after rare intra-athletic department feud with Mark Stoops

Is Kentucky a basketball school? Yes. Should John Calipari have said that? Probably not.The Wildcats basketball coach ignited the...

Wedding Professionals And Attendees Are Breaking Down The Cost Of Being In A Bridal Party

You upload a video of the bridal shower to your Instagram story: a cream-colored room with calla lilies, your...

Must read

A New Tractor Jailbreak Rides the Right-to-Repair Wave

farmers around the world have turned to tractor hacking...

VOLLEYBALL ROUNDUP: Holliday claims Bev Ball Classic championship

Size doesn’t matter. Ultimately, it’s all about heart and...
- Advertisement -

You might also likeRELATED
Recommended to you