A Slack Bug Exposed Some Users’ Hashed Passwords for 5 Years

The office communication platform Slack is known for being easy and intuitive to use. But the company said on Friday that one of its low-friction features contained a vulnerability, now fixed, that exposed cryptographically scrambled versions of some users’ passwords. 

When users created or revoked a link—known as a “Shared Invite Link”—that others could use to sign up for a given Slack workspace, the command also inadvertently transmitted the link creator’s hashed password to other members of that workspace. The flaw impacted the password of anyone who made or scrubbed a Shared Invite Link over a five-year period, between April 17, 2017, and July 17, 2022.

Slack, which is now owned by Salesforce, says a security researcher disclosed the bug to the company on July 17, 2022. The errant passwords weren’t visible anywhere in Slack, the company notes, and could have only been apprehended by someone actively monitoring relevant encrypted network traffic from Slack’s servers. Though the company says it’s unlikely that the actual content of any passwords were compromised as a result of the flaw, it notified impacted users on Thursday and forced password resets for all of them. 

Slack said the situation impacted about 0.5 percent of its users. In 2019, the company said it had more than 10 million daily active users, which would mean roughly 50,000 notifications. By now, the company may have nearly double that number of users. Some users who had passwords exposed throughout the five years may not still be Slack users today.

“We immediately took steps to implement a fix and released an update the same day the bug was discovered, on July 17th, 2022,” the company said in a statement. “Slack has informed all impacted customers and the passwords for impacted users have been reset.”

The company did not respond to questions from WIRED by press time about which hashing algorithm it used on the passwords and whether the incident has prompted broader assessments of Slack’s password-management architecture.

“It’s unfortunate that in 2022 we’re still seeing bugs that are clearly the result of failed threat modeling,” says Jake Williams, director of cyber threat intelligence at the security firm Scythe. “While applications like Slack definitely perform security testing, bugs like this that only come up in edge case functionality still get missed. And obviously, the stakes are very high when it comes to sensitive data like passwords.”

The situation underscores the challenge of designing flexible and usable web applications that are also architected to silo and limit access to high-value data like passwords. If you received a notification from Slack, change your password and make sure you have two-factor authentication turned on. You can also view the access logs for your account.

For all the latest Technology News Click Here 

 For the latest news and updates, follow us on Google News

Read original article here

Denial of responsibility! TechNewsBoy.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.