Slack and Watch Secret Sessions Onlineits scores of desktop app users just dodged a major bullet.
The communications tool relied upon by journalists, tech workers, and D&D fans alike disclosed on Friday a "critical" vulnerability — now fixed — that would have let hackers run wild on users' computers. Slack's internal security team didn't even find the bug; rather, it was a third-party security researched who reported it, through the bug bounty platform HackerOne in January.
Notably, the exploit allowed for something known as "remote code execution," which is just as bad as it sounds. Before Slack fixed it, an attacker using the exploit could have done some pretty wild stuff, such as gaining "access to private files, private keys, passwords, secrets, internal network access etc.," and "access to private conversations, files etc. within Slack."
What's more, according to the disclosure, maliciously inclined hackers could have made their attack "wormable." In other words, if one person in your team got infected, their account would automatically re-share that dangerous payload to all their colleagues.
It's worth emphasizing that the security researcher who discovered this vulnerability — a process that takes untold hours of work and is a literal job — decided to do what many would consider the right thing and report it to Slack via HackerOne. For the security researcher, whose HackerOne handle is oskars,this resulted in a bug bounty payment of $1,750.
Of course, had that person wanted, they could have likely gotten much, much more money by selling it to a third-party exploit broker. Companies like Zerodium, which offer millions of dollars for zero-day exploits, in turn sell those exploits to governments.
Members of the computer security community were quick to point out the relatively paltry payout for such an important bug.
This Tweet is currently unavailable. It might be loading or has been removed.
This Tweet is currently unavailable. It might be loading or has been removed.
This Tweet is currently unavailable. It might be loading or has been removed.
We reached out to Slack in an effort to determine how it decides the size of its bug bounty payments, and whether or not it had a response to the criticism levied by members of the security community. In response, a company spokesperson replied that the amount Slack pays for bug bounties is not fixed in stone.
"Our bug bounty program is critical to keeping Slack safe," the spokesperson wrote in part. "We deeply value the contributions of the security and developer communities, and we will continue to review our payout scale to ensure that we are recognizing their work and creating value for our customers."
The spokesperson also noted that the company "implemented an initial fix by February 20."
SEE ALSO: 7 Slack privacy settings you should enable now
Interestingly, Slack does appear to have upped the amount it's willing to pay bug bounty researchers for coordinated disclosure. A look at its HackerOne profile page shows that, as of the time of this writing, reporting a remote code execution vulnerability would merit "$5000 and up."
Too late for oskars, but perhaps that will encourage the next security researcher who discovers a critical vulnerability in Slack to report it to the good guys. We should hope so, for the sake of Slack users everywhere.
UPDATE: Aug. 29, 2020, 1:49 p.m. PDT: This story has been updated to include Slack's statement.
Topics Cybersecurity
Skywatching is lit in May, says NASA
'Saltburn' and TikTok give 'Murder On The Dancefloor' new life
Notes on Notes by Mary Cappello
Wordle today: The answer and hints for January 5
Norrie vs. Diallo 2025 livestream: Watch Madrid Open for free
Letterboxd announces TV series reviews coming in 2024; apparently regrets saying so
Staff Picks: Boats, Brands, and Blasphemy by The Paris Review
What We Aren’t Seeing by Francine Prose
This is the fattest of the extremely fat bears
Best winter clearance sales: Amazon, Target, Best Buy, and Walmart
Best Max streaming deal: Save 20% on annual subscriptions
The Alien Gaze by C Pam Zhang
The Waiting Game by Hannah Ewens
Staff Picks: Night Skies, B Sides, and Neon Lights by The Paris Review
'The Last of Us' Season 2, episode 4: Why Ellie sings 'Take on Me'
YouTube demonetizes public domain 'Steamboat Willie' video after copyright claim
Obsession by Amanda DeMarco
Redux: Leaves Fall Off of the Trees by The Paris Review
Best Amazon Fire TV Cube deal: Save $30 at Amazon
Something to Hold On To: An Interview with Rumaan Alam by Cornelia Channing
Brie Larson brought Emma Stone to tears at the Oscars, but in a good wayThis one tweet explains that truly bizarre Oscars Best Picture mixup perfectlySean Spicer was once a terrifying White House Easter BunnyBrie Larson brought Emma Stone to tears at the Oscars, but in a good wayAMD FSR 4 vs Nvidia DLSS 4 at 4KThe best reactions to the biggest Oscars f*ck up of all timeIndia's financial capital is also its richest city and home to its wealthiest manYouTube comes to Comcast's XPlease, for the love of God, stop saying 'Hidden Fences'The best and worst moments of the craziest Oscars everIndia's prime minister wants everyone to tell their friends about this appThe White Helmets aren't happy about their Oscar win for a very important reasonNASA's TRAPPISTNever mind the Oscars, Britain hosted its own awards ceremony... for kebabs'Moana' star gets whipped in head with a flag midStop throwing coins into ponds, this sea turtle ate a whole bunch and needs surgeryIranian film 'The Salesman' wins Oscar in biggest political statement of the nightUniversity student takes on political outfit with viral online campaign, gets rape threatsAll the times the Oscars threw shade at Donald TrumpFinally, a phone that's perfect to bring to an EDM festival Super Typhoon Nock French village becomes home to the world's first solar panel road Google to fight Apple Watch head 17 'Rogue One' questions answered by the novel 7 films that show how Bollywood came of age in 2016 KFC China has another weird tech idea to get you to eat fast food 8 joyful examples of how Australian TV got even more bizarre in 2016 Hey procrastinators, here's how to score a holiday flight deal Slay your relatives with these 30 'Game of Thrones' gifts Donald Trump just posted his scariest tweet yet Passengers on Adam Saleh's flight refute claims he was kicked off for speaking Arabic Delight in the old How to Move PC Games to a New Drive: Steam, Origin, Windows Store, Epic Games, Battle.net & GOG Husband of slain politician to deliver alternative to Queen's Christmas Day address Doctor slays Boyz II Men cover so hard the musical legends had to comment 'That Dragon, Cancer' team makes a VR mystery game for Daydream 'Pokémon Go' will serve up free goodies on Christmas Day 9 animals that just want you to give them a big belly rub for Christmas Kid's festive Christmas drawing accidentally ends up very, very NSFW Bride and groom who love to eat get the ultimate wedding photos
2.1399s , 8223.34375 kb
Copyright © 2025 Powered by 【Watch Secret Sessions Online】,Steady Information Network