office communication The platform Slack is known for being easy to use and intuitive. But the company said Friday that one of its low-friction features contained a bug, now fixed, that exposed encrypted versions of some users’ passwords.
When a user creates or revokes a link (called a “shared invite link”) that others can use to register for a given Slack workspace, the command also inadvertently transmits the link creator’s hashed password to that workspace other members of . The vulnerability affects the password of anyone who creates or clears a shared invite link within a five-year period between April 17, 2017 and July 17, 2022.
Slack, now owned by Salesforce, said a security researcher disclosed the vulnerability to the company on July 17, 2022. The company noted that wrong passwords are not seen anywhere on Slack and can only be apprehended by those who are actively monitoring them. Associated encrypted web traffic from Slack servers. While the company said the actual content of any passwords was unlikely to be compromised by the breach, it notified affected users on Thursday and forced password resets for all users.
Slack said the situation affected about 0.5 percent of its users. The company said it had more than 10 million daily active users in 2019, which translates to around 50,000 notifications. The company may have nearly doubled its number of users so far. Some users who exposed their passwords over the past five years may no longer be Slack users today.
“We took immediate steps to implement a fix and released an update on July 17, 2022, the same day the vulnerability was discovered,” the company said in a statement. “Slack has notified all affected customers, and affected users ‘s password has been reset.”
As of press time, the company did not answer WIRED’s questions about which hashing algorithm it uses on passwords and whether the incident prompted a broader review of Slack’s password management architecture.
“Unfortunately, in 2022, we will still see errors that are clearly the result of failures in threat modeling,” said Jake Williams, director of cyber threat intelligence at security firm Scythe. “While apps like Slack certainly perform security testing, bugs like this that only appear in edge-case functionality can still be missed. Obviously, the stakes are very high when sensitive data like passwords are involved.”
This situation highlights the challenges of designing flexible and usable web applications that are also designed to be silos and restrict access to high-value data such as passwords. If you get a notification from Slack, change your password and make sure you have two-factor authentication turned on. You can also view access logs for your account.
