Slack and Watch Salyut 7 Onlineits scores of desktop app users just dodged a major bullet.
The communications tool relied upon by journalists, tech workers, and D&D fans alike disclosed on Friday a "critical" vulnerability — now fixed — that would have let hackers run wild on users' computers. Slack's internal security team didn't even find the bug; rather, it was a third-party security researched who reported it, through the bug bounty platform HackerOne in January.
Notably, the exploit allowed for something known as "remote code execution," which is just as bad as it sounds. Before Slack fixed it, an attacker using the exploit could have done some pretty wild stuff, such as gaining "access to private files, private keys, passwords, secrets, internal network access etc.," and "access to private conversations, files etc. within Slack."
What's more, according to the disclosure, maliciously inclined hackers could have made their attack "wormable." In other words, if one person in your team got infected, their account would automatically re-share that dangerous payload to all their colleagues.
It's worth emphasizing that the security researcher who discovered this vulnerability — a process that takes untold hours of work and is a literal job — decided to do what many would consider the right thing and report it to Slack via HackerOne. For the security researcher, whose HackerOne handle is oskars,this resulted in a bug bounty payment of $1,750.
Of course, had that person wanted, they could have likely gotten much, much more money by selling it to a third-party exploit broker. Companies like Zerodium, which offer millions of dollars for zero-day exploits, in turn sell those exploits to governments.
Members of the computer security community were quick to point out the relatively paltry payout for such an important bug.
This Tweet is currently unavailable. It might be loading or has been removed.
This Tweet is currently unavailable. It might be loading or has been removed.
This Tweet is currently unavailable. It might be loading or has been removed.
We reached out to Slack in an effort to determine how it decides the size of its bug bounty payments, and whether or not it had a response to the criticism levied by members of the security community. In response, a company spokesperson replied that the amount Slack pays for bug bounties is not fixed in stone.
"Our bug bounty program is critical to keeping Slack safe," the spokesperson wrote in part. "We deeply value the contributions of the security and developer communities, and we will continue to review our payout scale to ensure that we are recognizing their work and creating value for our customers."
The spokesperson also noted that the company "implemented an initial fix by February 20."
SEE ALSO: 7 Slack privacy settings you should enable now
Interestingly, Slack does appear to have upped the amount it's willing to pay bug bounty researchers for coordinated disclosure. A look at its HackerOne profile page shows that, as of the time of this writing, reporting a remote code execution vulnerability would merit "$5000 and up."
Too late for oskars, but perhaps that will encourage the next security researcher who discovers a critical vulnerability in Slack to report it to the good guys. We should hope so, for the sake of Slack users everywhere.
UPDATE: Aug. 29, 2020, 1:49 p.m. PDT: This story has been updated to include Slack's statement.
Topics Cybersecurity
Sony launches new flagship XM6 headphones: Order them now
George R.R. Martin is just tryin' to hang with the cool kids
United hates PR problems so much it's suing a parody website
'Fawlty Towers' fans, rejoice: John Cleese is returning to the BBC for a new sitcom
U.N. aims to make carbon emissions cost money at COP 25 climate talks
Not again. Another story about a United passenger emerges—this one with handcuffs.
This may be one of the fastest goals ever scored in a football match
Extremely happy elephant is super excited to meet the Queen
President Trump says semiconductor tariffs are next
Trailblazing astronaut to star in first ultra
Best soundbar deal: Save $300 on the Sonos Arc
'Bayonetta,' a game about sex angels and magic hair, is out on Steam
Paul Walker's mom to Vin Diesel: 'You lost your other half'
Xiaomi to launch new flagship phone on April 19
13 Good Games You Can Play on Laptops and Budget PCs
People totally freaked out about this fireball in the sky
Reporters share their bloopers in solidarity with daydreaming newsreader
'Fat or pregnant?' game show offends everyone. Surprise!
One of Android's Easter Eggs is a Flappy Bird
Chinese travellers are cutting up their United Mileage cards in anger
5 weird products Samsung unveiled at CES 2024: A yellow bot, a transparent TV, and more.The Sky Above, the Field Below by Hanif AbdurraqibThe Art of Distance No. 35 by The Paris ReviewDeath’s Traffic Light Blinks Red by Cathy Park HongCES 2024: The Mirokai animeToday's best Beats deal: Save 24% on Beats Studio Pro+Bellesa launches BB Outlet for inexpensive toysGolden Globes: Watch Lily Gladstone's powerful speech for historic winU Break It We Fix It by Sabrina Orah MarkStaff Picks: People, Places, and Poems by The Paris ReviewStaff Picks: Mammoths, Magazines, and Mysterious Marks by The Paris ReviewBrock Baker's 'Steamboat Willie' YouTube video has been demonetized againThe View Where I Write by John Lee ClarkWhen Waking Begins by Haytham El WardanyLong Live Work! by Dubravka UgresicHow to unblock ChatGPT for freeNo Walk Is Ever Wasted by Matthew BeaumontHow to unblock ChatGPT for freeThe Art of Distance No. 31 by The Paris ReviewRedux: Of Time Accelerated by The Paris Review Michael Bazzett, Dobby Gibson, and Sophie Haigney Recommend by The Paris Review At William Faulkner’s House by Benjamin Nugent There's a serious danger to the soft climate denial pedaled by Trump's cabinet picks 6 scientists are living like they're on Mars for the next 8 months John Wick Marathon by The Paris Review Mapping Africatown: Albert Murray and his Hometown by Nick Tabor and Kern M. Jackson The Birder by Maisie Wiltshire 3 guys happen to catch SpaceX launch from an airplane Best Roborock deal: Save 43% on the Roborock Q5+ robot vacuum India is remeasuring Mount Everest to find out if it shrunk after earthquake The Review’s Review: Don Carlo and the Abuse of Power by Krithika Varagur Are You Thunder or Lightning? by Sophie Haigney What is a homewrecker kink? TikTok accuses Ariana Grande of having one SpaceX's most recent rocket landing looks so sci “Then Things Went Bad”: How I Won $264 at Preakness by Tarpley Hitt Best Apple Watch deal: Get an Apple Watch Series 9 for 27% off Game 6 by Rachel B. Glaser Yelp introduces AI On Mary Wollstonecraft by Joanna Biggs Faring by Saskia Hamilton
2.7566s , 10132.5859375 kb
Copyright © 2025 Powered by 【Watch Salyut 7 Online】,Information Information Network