{"id":6843,"date":"2017-03-02T14:30:20","date_gmt":"2017-03-02T22:30:20","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/03\/02\/news-634\/"},"modified":"2017-03-02T14:30:20","modified_gmt":"2017-03-02T22:30:20","slug":"news-634","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2017\/03\/02\/news-634\/","title":{"rendered":"Slack bug paved the way for a hack that can steal user access"},"content":{"rendered":"

<\/p>\n

Credit to Author: Michael Kan| Date: Thu, 02 Mar 2017 12:36:00 -0800<\/strong><\/p>\n

One bug in Slack, the popular work chat application, was enough for a security researcher to design a hack that could trick users into handing over access to their accounts. <\/p>\n

Bug bounty hunter Frans Rosen noticed he could steal Slack access tokens to user accounts due to a flaw in the way the application communicates data in an internet browser. <\/p>\n

\u201cSlack missed an important step when using a technology called postMessage,\u201d Rosen said on Wednesday in an email. \u00a0 <\/p>\n

PostMessage is a kind of command that can let separate browser windows communicate with each other. In Slack, it\u2019s used whenever the chat application opens a new window to enable a voice call. <\/p>\n

Ideally, an application that uses postMessage will validate the origin of all data exchanged between separate windows, to keep the process secure. However, Slack wasn\u2019t doing this, according to Rosen. <\/p>\n

\u201cNot validating them was a clear indication to me that I could start to do fun stuff,\u201d he wrote in a blog post<\/a> for security firm Detectify, which he advises. <\/p>\n

Last week, he discovered the problem and realized he could siphon a user\u2019s access token through the postMessage bug. <\/p>\n

\u201cIf you have a browser window, and open a new window by clicking on a link, those two windows can communicate using postMessage,\u201d he said in an email. <\/p>\n

But what if one of those windows is an imposter? That\u2019s what Rosen essentially created with a malicious webpage that can hijack the Slack application. <\/p>\n

He demonstrated the theoretical hack in a video<\/a>. The malicious webpage will open a Slack window that then forces a victim\u2019s account to hand over its access token. <\/p>\n

Fortunately, Slack has fixed<\/a> the issue. The company has found after a thorough investigation that the flaw was never exploited, according to a posting on HackerOne, a bug bounty platform. <\/p>\n

“To work securely with postMessage you always need to verify the origin of every message,” Rosen added. <\/p>\n

http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

Credit to Author: Michael Kan| Date: Thu, 02 Mar 2017 12:36:00 -0800<\/strong><\/p>\n

\n
\n

One bug in Slack, the popular work chat application, was enough for a security researcher to design a hack that could trick users into handing over access to their accounts.<\/p>\n

Bug bounty hunter Frans Rosen noticed he could steal Slack access tokens to user accounts due to a flaw in the way the application communicates data in an internet browser.<\/p>\n

\u201cSlack missed an important step when using a technology called postMessage,\u201d Rosen said on Wednesday in an email. \u00a0<\/p>\n

PostMessage is a kind of command that can let separate browser windows communicate with each other. In Slack, it\u2019s used whenever the chat application opens a new window to enable a voice call.<\/p>\n

To read this article in full or to leave a comment, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[11181,11098,714],"class_list":["post-6843","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-application-development","tag-enterprise-applications","tag-security"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6843","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=6843"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6843\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=6843"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=6843"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=6843"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}