Security News > 2020 > August > Slack Pays Bounty for Critical Vulnerability in Desktop App
A security researcher was awarded a $1,750 bug bounty reward for discovering a remote code execution vulnerability in the Slack desktop applications.
An attacker could exploit the vulnerability to execute arbitrary code within Slack's desktop apps for macOS, Linux, and Windows.
"With any in-app redirect - logic/open redirect, HTML or JavaScript injection - it's possible to execute arbitrary code within Slack desktop apps. This report demonstrates a specifically crafted exploit consisting of an HTML injection, security control bypass and a RCE JavaScript payload," the researcher explained.
Details on the security bug became public only last week, after the researcher discovered that Slack had addressed the bug without crediting his work and complained about that on HackerOne.
Following the public disclosure last week, the infosec community has started mocking Slack on Twitter for awarding the researcher such a small bug bounty reward for his finding.
News URL
Related news
- Critical NVIDIA Container Toolkit Vulnerability Could Grant Full Host Access to Attackers (source)
- Critical Zimbra RCE vulnerability under mass exploitation (CVE-2024-45519) (source)
- Apple Releases Critical iOS and iPadOS Updates to Fix VoiceOver Password Vulnerability (source)
- Week in review: Critical Zimbra RCE vulnerability exploited, Patch Tuesday forecast (source)
- Experts Warn of Critical Unpatched Vulnerability in Linear eMerge E3 Systems (source)
- New Critical GitLab Vulnerability Could Allow Arbitrary CI/CD Pipeline Execution (source)
- Critical Veeam Vulnerability Exploited to Spread Akira and Fog Ransomware (source)
- Critical Kubernetes Image Builder Vulnerability Exposes Nodes to Root Access Risk (source)
- Fortinet releases patches for undisclosed critical FortiManager vulnerability (source)
- VMware Releases vCenter Server Update to Fix Critical RCE Vulnerability (source)