Slack and awek kastam menari lucahits scores of desktop app users just dodged a major bullet.
The communications tool relied upon by journalists, tech workers, and D&D fans alike disclosed on Friday a "critical" vulnerability — now fixed — that would have let hackers run wild on users' computers. Slack's internal security team didn't even find the bug; rather, it was a third-party security researched who reported it, through the bug bounty platform HackerOne in January.
Notably, the exploit allowed for something known as "remote code execution," which is just as bad as it sounds. Before Slack fixed it, an attacker using the exploit could have done some pretty wild stuff, such as gaining "access to private files, private keys, passwords, secrets, internal network access etc.," and "access to private conversations, files etc. within Slack."
What's more, according to the disclosure, maliciously inclined hackers could have made their attack "wormable." In other words, if one person in your team got infected, their account would automatically re-share that dangerous payload to all their colleagues.
It's worth emphasizing that the security researcher who discovered this vulnerability — a process that takes untold hours of work and is a literal job — decided to do what many would consider the right thing and report it to Slack via HackerOne. For the security researcher, whose HackerOne handle is oskars,this resulted in a bug bounty payment of $1,750.
Of course, had that person wanted, they could have likely gotten much, much more money by selling it to a third-party exploit broker. Companies like Zerodium, which offer millions of dollars for zero-day exploits, in turn sell those exploits to governments.
Members of the computer security community were quick to point out the relatively paltry payout for such an important bug.
This Tweet is currently unavailable. It might be loading or has been removed.
This Tweet is currently unavailable. It might be loading or has been removed.
This Tweet is currently unavailable. It might be loading or has been removed.
We reached out to Slack in an effort to determine how it decides the size of its bug bounty payments, and whether or not it had a response to the criticism levied by members of the security community. In response, a company spokesperson replied that the amount Slack pays for bug bounties is not fixed in stone.
"Our bug bounty program is critical to keeping Slack safe," the spokesperson wrote in part. "We deeply value the contributions of the security and developer communities, and we will continue to review our payout scale to ensure that we are recognizing their work and creating value for our customers."
The spokesperson also noted that the company "implemented an initial fix by February 20."
SEE ALSO: 7 Slack privacy settings you should enable now
Interestingly, Slack does appear to have upped the amount it's willing to pay bug bounty researchers for coordinated disclosure. A look at its HackerOne profile page shows that, as of the time of this writing, reporting a remote code execution vulnerability would merit "$5000 and up."
Too late for oskars, but perhaps that will encourage the next security researcher who discovers a critical vulnerability in Slack to report it to the good guys. We should hope so, for the sake of Slack users everywhere.
UPDATE: Aug. 29, 2020, 1:49 p.m. PDT: This story has been updated to include Slack's statement.
Topics Cybersecurity
Outdoor Screening of 'Hachi'
Best noise
Best Nespresso deal: The Nespresso Vertuo Pop+ is just $69.99 at Woot
The biggest crypto heist ever: $1.5 billion stolen from Bybit cryptocurrency exchange
Workshop of New Velina Houston Play
Wordle today: The answer and hints for February 26, 2025
Best Wireless Xbox controller deal: $39 at Walmart
Scientists found huge beaches on Mars likely from a long gone ocean
‘A Divided Community’ to Be Screened at USC
The biggest crypto heist ever: $1.5 billion stolen from Bybit cryptocurrency exchange
LTHS Launches Short Story Contest
Best Pokémon TCG deal: Twilight Masquerade Booster Box restocks for Pokémon Day
Best pet deals: Spend $100, get $30 back at Chewy
Robotaxis and autonomous cars are still scary to most Americans
New Visions of Japanese Studies at UCLA
Amazon's AI
The biggest crypto heist ever: $1.5 billion stolen from Bybit cryptocurrency exchange
Seattle Sounders vs. Antigua GFC 2025 livestream: Watch Concacaf Champions Cup for free
Toshi Seeger, Wife of Pete Seeger, Dies at 91
Google makes it easier to monitor and remove personal information on Search
Telegram founder Pavel Durov promises to 'protect user data at any cost'Apple Event: 'Peek performance' was for 'ultra' people'The Afterparty' cinematographer shares secrets of every episode's lookDying in 'Elden Ring' is more funny than frustratingSteam Deck: How to check and see if your games library is supportedAirbnb is suspending all operations in Russia and Belarus'The Afterparty' finale explained with spoilers and celebrationNVIDIA Hackers: Let us mine cryptocurrency faster or we release your stolen dataGeneral Motors pilots bidirectional charging between EVs and homesA 'God of War' Amazon series? Christopher Judge is already the perfect Kratos. Scientists just named a newly discovered water beetle after Leonardo DiCaprio The Story Behind the Home of Forgotten Video Games Hey Donald Trump, this is the difference between climate and weather Crumbling National Park Service needs money and solutions Big Spring Sale Audible deal: 3 months for $0.99/month Why Building a Gaming PC Right Now is a Bad Idea, Part 2: Insane Graphics Card Prices Did Scott Kelly's DNA change in space? The answer isn't so simple Apple sued over Apple Intelligence feature delays A mom found a great solution to preserve her valuables from fire Unhuman Resources
0.2084s , 10110.65625 kb
Copyright © 2025 Powered by 【awek kastam menari lucah】Slack fixes major vulnerability that left desktop users open to attack,Feature Flash
