Security News > 2020 > August > Slack Pays Bounty for Critical Vulnerability in Desktop App
A security researcher was awarded a $1,750 bug bounty reward for discovering a remote code execution vulnerability in the Slack desktop applications.
An attacker could exploit the vulnerability to execute arbitrary code within Slack's desktop apps for macOS, Linux, and Windows.
"With any in-app redirect - logic/open redirect, HTML or JavaScript injection - it's possible to execute arbitrary code within Slack desktop apps. This report demonstrates a specifically crafted exploit consisting of an HTML injection, security control bypass and a RCE JavaScript payload," the researcher explained.
Details on the security bug became public only last week, after the researcher discovered that Slack had addressed the bug without crediting his work and complained about that on HackerOne.
Following the public disclosure last week, the infosec community has started mocking Slack on Twitter for awarding the researcher such a small bug bounty reward for his finding.
News URL
Related news
- Critical SQL Injection Vulnerability in Apache Traffic Control Rated 9.9 CVSS — Patch Now (source)
- Cisco fixes ClamAV vulnerability with available PoC and critical Meeting Management flaw (source)
- GitHub Desktop Vulnerability Risks Credential Leaks via Malicious Remote URLs (source)
- Zyxel CPE devices under attack via critical vulnerability without a patch (CVE-2024-40891) (source)
- Microsoft Patches Critical Azure AI Face Service Vulnerability with CVSS 9.9 Score (source)