Critical vuln that lets miscreants hijack computers via Slack? Sucks in air We'll give you $1,750 for it

2020-08-31 21:28

A critical remote-code-execution vulnerability affecting past versions of the Slack desktop app was disclosed on Friday after the software maker fixed its app.

Back in January, Oskars Vegeris, a security engineer at Evolution Gaming, privately reported to Slack a remote code execution vulnerability affecting version 4.2 and 4.32 of its desktop apps for Linux, macOS, and Windows via bug bounty program HackerOne.

You then compose a Slack Post that abuses the HTML injection vulnerability to include your remote payload, and share that post with a Slack channel or user.

Asked about this, Slack's spokesperson said, "Our bug bounty program is critical to keeping Slack safe. We deeply value the contributions of the security and developer communities, and we will continue to review our payout scale to ensure that we are recognizing their work and creating value for our customers."

Austin told The Register he had previously reported several high-severity issues with the Slack desktop client, each of which took about three months to resolve and each of which resulted in a $1,500 payout.

News URL

https://go.theregister.com/feed/www.theregister.com/2020/08/31/slack_app_electron_bug_squashed/

#critical #slack