{"id":19840,"date":"2022-08-11T16:10:24","date_gmt":"2022-08-12T00:10:24","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2022\/08\/11\/news-13573\/"},"modified":"2022-08-11T16:10:24","modified_gmt":"2022-08-12T00:10:24","slug":"news-13573","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/08\/11\/news-13573\/","title":{"rendered":"Slack flaw exposed users&#8217; hashed passwords"},"content":{"rendered":"<p>Slack,&nbsp;the workplace communication platform, has notified some of its users that their hashed passwords have been subject to exposure for the last five years. The company&nbsp;<a href=\"https:\/\/href.li\/?https:\/\/slack.com\/intl\/en-gb\/blog\/news\/notice-about-slack-password-resets\" target=\"_blank\" rel=\"noreferrer noopener noreferrer\">wasn&rsquo;t specific<\/a>&nbsp;in its notice, but&nbsp;<a rel=\"noreferrer noopener noreferrer\" href=\"https:\/\/href.li\/?https:\/\/www.wired.com\/story\/slack-hashed-passwords-exposed\/\" target=\"_blank\">Wired said<\/a>&nbsp;that the flaw was in one of its &#8220;low-friction features&#8221;. The flaw exposed hashed passwords of users when creating or revoking shared invitation links for workspaces.<\/p>\n<p>&#8220;When a user performed either of these actions, Slack transmitted a hashed version of their password to other workspace members,&#8221; the company said in a notice. &#8220;It affected all users who created or revoked shared invitation links between 17 April 2017 and 17 July 2022.&#8221;<\/p>\n<p>Putting a plaintext password through a hashing algorithm changes it to a cryptographically scrambled or obfuscated version of itself, now called a &#8220;ciphertext&#8221;. It is a unique string of characters with a fixed length. Adding&nbsp;<a rel=\"noreferrer noopener noreferrer\" href=\"https:\/\/href.li\/?https:\/\/en.wikipedia.org\/wiki\/Salt_(cryptography)\" target=\"_blank\">&#8220;salt&#8221;<\/a>&mdash;essentially random data&mdash;when hashing would further protect the password from getting easily extracted by threat actors.<\/p>\n<p>The exposure only occurs behind the scenes, though, as Slack users who were sent these invitations couldn&#8217;t see the passwords. However, they weren&#8217;t completely inaccessible, although seeing the exposed passwords required actively monitoring encrypted traffic from Slack&rsquo;s servers.<\/p>\n<blockquote>\n<p>&ldquo;We have no reason to believe that anyone was able to obtain plaintext passwords because of this issue. However, for the sake of caution, we have reset affected users&rsquo; Slack passwords.&rdquo;<\/p>\n<\/blockquote>\n<p>Slack&nbsp;<a rel=\"noreferrer noopener noreferrer\" href=\"https:\/\/href.li\/?https:\/\/www.bleepingcomputer.com\/news\/security\/slack-resets-passwords-after-exposing-hashes-in-invitation-links\/\" target=\"_blank\">warned<\/a>&nbsp;that hashes are &#8220;secure, but not perfect.&#8221; Hashed passwords could still be revered by brute force methods.<\/p>\n<p>Slack promptly patched the flaw after an independent security researcher reported it to Slack last month. It then notified the&nbsp;approximately 0.5 percent of all its users who may&nbsp;have been affected,&nbsp;<\/p>\n<p>The company also took this opportunity to advise its users to enable&nbsp;<a href=\"https:\/\/href.li\/?https:\/\/www.malwarebytes.com\/glossary\/multi-factor-authentication-mfa\" rel=\"noreferrer\">2FA (two-factor authentication)<\/a>&nbsp;on their accounts and create strong and unique passwords. It also advised users to check access logs, which they can find&nbsp;<a rel=\"noreferrer noopener noreferrer\" href=\"https:\/\/href.li\/?https:\/\/my.slack.com\/account\/logs\" target=\"_blank\">here<\/a>, for their accounts.<\/p>\n<p><a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2022\/08\/slack-flaw-exposed-users-hashed-passwords\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<table cellpadding='10'>\n<tr>\n<td valign='top' align='left'>\n<p>Categories: <a href='https:\/\/www.malwarebytes.com\/blog\/category\/exploits-and-vulnerabilities' rel='category tag'>Exploits and vulnerabilities<\/a><\/p>\n<p>Slack was exposing user passwords for years. The bug has been swatted and the affected users informed.<\/p>\n<table width='100%'>\n<tr>\n<td align=right>\n<p><b>(<a href='https:\/\/www.malwarebytes.com\/blog\/news\/2022\/08\/slack-flaw-exposed-users-hashed-passwords' title='Slack flaw exposed users' hashed passwords'>Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n<p>The post <a rel='nofollow' href='https:\/\/www.malwarebytes.com\/blog\/news\/2022\/08\/slack-flaw-exposed-users-hashed-passwords'>Slack flaw exposed users&#8217; hashed passwords<\/a> appeared first on <a rel='nofollow' href='https:\/\/www.malwarebytes.com'>Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[22783],"class_list":["post-19840","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-exploits-and-vulnerabilities"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/19840","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=19840"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/19840\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=19840"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=19840"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=19840"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}