A Slack bug exposed some users’ hashed passwords for 5 years

A Slack bug exposed some users’ hashed passwords for 5 years. : Office communication The platform Slack is known for is easy-to-use and intuitive. But the company Said On Friday, one of its low-friction features contained a vulnerability, now fixed, that exposed cryptographically scrambled versions of some users’ passwords.

How hashed passwords Got Exposed

When users create or cancel a link called a “shared invite link” that others can use to sign up to a given Slack workspace, that command inadvertently broadcasts the link creator’s hashed password to other members of that workspace as well. The flaw affected the password of anyone who generated or scrubbed an invite link shared between April 17, 2017 and July 17, 2022.

Slack, that is Own now A security researcher disclosed the bug to the company on July 17, 2022. The company claims that the incorrect passwords were nowhere to be found in Slack, and could only have been caught by someone actively monitoring the relevant encrypted network traffic from Slack. servers. Although the company says the actual content of any passwords is unlikely to have been compromised by the flaw, it notified affected users on Thursday and forced password resets for all of them.

Slack said the situation affected 0.5 percent of its users. The company said in 2019 Said It has more than 10 million daily active users, which means around 50,000 notifications. By now, the company Almost doubled its number of users. Some users whose passwords are exposed may still not be Slack users in five years.

“We immediately took steps to implement a fix and released an update on July 17, 2022, the same day the bug was discovered,” the company said in a statement. “Slack has notified all affected users and affected users’ passwords have been reset.”

All Amazon’s Ring cameras collect Sensitive Data about you

The company did not respond to questions from WIRED by press time about what hashing algorithm it used on passwords or whether the incident prompted widespread speculation about Slack’s password-management architecture.

“It’s unfortunate that in 2022 we’re still seeing bugs as a result of failed threat modeling,” says Jake Williams, director of cyber-threat intelligence at security firm Scythe. “While applications like Slack certainly perform security testing, bugs like these that only come in edge case functionality are still missed. And obviously, the stakes are very high when it comes to sensitive data like passwords.

This situation underscores the challenge of creating flexible and usable web applications that restrict and restrict access to high-value data such as passwords. If you receive a notification from Slack, change your password and make sure you have it Two-factor authentication turned on You can also view access logs for your account.

Leave a Reply