Vulnerabilities in Slack could have led to account hijacking
Persistence pays off as security researcher nets bug bounty for unearthing an access control bypass allowing attackers to reset passwords if they know the usernames.
If successful, this flaw could enable a hacker to gain access to the requested resources of any Slack site
A security researcher has discovered a flaw in collaboration platform Slack that could have allowed a hacker to bypass access controls and hijack any account.
According to David Viera-Kurz, a security researcher at Idealo, the flaw was an access control bypass that could gain access to a backend control panel – the discovery of which earned him a bug bounty from Slack.
He said that Slack runs mod_status on the web server. The status module allows a server administrator to find out how well their server is performing and which resources have been requested by which IP addresses. “An attacker may make use of this information to craft an attack against the web server,” he said in a blog post.
But when he tried to access the server-status directive, the server redirected him to a login page located on the *.tinyspeck.com domain. So this path has been protected.
The researcher could not use mod_rewrite misconfigurations but soon found he could potentially bypass the routing mechanism or access control by adding multiple forward slashes.
He guessed that the applied filter checks if the string starts with a particular string and does strip a forward slash, but would eventually miss out stripping all slashes recursively. This, he found, worked.
After more investigation, he found that he could log out of his Slack account, but still request the server status without being logged in.
“That means that an attacker would potentially gain unauthorised access to the requested resources of any Slack site by accessing the server-status directive of a given workspace!” he said.
Viera-Kurz then found another problem following a Google search for common file extensions located on the Slack websites and found cached URLs.
“After a couple of requests I found that on the particular path to the administrative panel I could bypass the restriction if I use exactly four slashes, which only worked on this particular controller!”
Finally, the researcher discovered a backend admin panel called "mission control".
“In the mission control panel authorised people are able to read lots of metadata related to Slack user and Slack workspace by passing an ‘id' to the corresponding controller,” he said.
“Since the needed ‘id' is being exposed in the rendered HTML of my own Slack workspace, I read the metadata associated to my own account and sent these screenshots to the Slack security team. Besides that, it was identified that an attacker would be enabled to reset the password of any user by guessing their ‘id' and passing a request to the associated ‘reset' controller in the mission control panel,” he said.
This, he said, would allow any hacker to take over any account.
Overall, the researcher netted $US 9000 (£7250) in rewards for his bug finds.
Mark James, security specialist at ESET, told SCMagazineUK.com that if successful, this flaw could enable a hacker to gain access to the requested resources of any Slack site.
“It could also enable you to reset passwords and take over accounts for authorised personnel,” he said. “Once access is gained you could pretty well do as you please. This would enable you to potentially serve malware and or steal information. It would also be fairly easy to set up redirects to direct unsuspecting people to other dodgy websites serving malicious software.”
James added that once control has been gained the intruder would have all the authority they need to steal or replace data.
“In these cases it highlights the importance of bug bounty programmes. With the wealth of technical expertise available these days from not just one person on a monthly wage but anyone who commits to finding flaws and vulnerabilities, all of which can help to make your software safer and more secure.”
Paul Ducklin, senior technologist at Sophos, told SC that getting at server status data probably won't give attackers the sort of information they need to jump right in and steal user data.
“But web pages that are supposed to be private yet turn out to be public if you ask ‘in a funny way' are always a bad look, and often a bad omen,” he said. “As the researcher in this incident said, ‘I thought that I would earn the minimum bounty of $50 for reporting this misconfiguration issue.'
“But as the story shows, the fact that he'd found the first misconfiguration headed him in the right direction to rack up $9000 in bounty payments, giving him directly usable hints on how to get further and further into the system,” he added.