Office communication The Slack platform is known for being easy and intuitive to use. But the company said Friday that one of its low-friction features contained a now-fixed vulnerability that exposed cryptographically encoded versions of some users’ passwords.
When users created or revoked a link, known as a “shared invite link,” that others could use to sign up for a certain Slack workspace, the command also inadvertently transmitted the password hash of the creator of the link to other members of this workspace. The breach affected the password of anyone who shared or deleted an invite link during a five-year period between April 17, 2017 and July 17, 2022.
Slack, now owned by Salesforce, says a security researcher disclosed the bug to the company on July 17, 2022. The misspelled passwords were not visible anywhere on Slack, the company says, and could only have been detained by someone who was actively controlling. relevant encrypted network traffic from Slack servers. While the company says it’s unlikely the actual content of any passwords will be compromised as a result of the breach, it notified affected users on Thursday and forced a password reset for all of them.
Slack said the situation affected about 0.5 percent of its users. In 2019, the company said it had more than 10 million daily active users, which would mean roughly 50,000 notifications. By now, the company may have nearly doubled that number of users. Some users who had their passwords exposed over the course of five years may not still be Slack users today.
“We immediately took steps to implement a fix and released an update the same day the bug was discovered, July 17, 2022,” the company said in a statement. “Slack has notified all affected customers and affected users’ passwords have been reset.”
The company did not respond to WIRED’s questions by press time about what hashing algorithm it used on passwords or whether the incident has prompted broader assessments of Slack’s password management architecture.
“It’s unfortunate that in 2022 we’re still seeing bugs that are clearly the result of a failed threat model,” says Jake Williams, director of cyber threat intelligence at security firm Scythe. “While apps like Slack definitely perform security testing, bugs like this that only show up in extreme case functionality are still missed. And obviously, the stakes are very high when it comes to sensitive data like passwords.”
The situation underscores the challenge of designing flexible and usable web applications that also store and limit access to high-value data such as passwords. If you received a notification from Slack, please change your password and make sure you have two-factor authentication turned on. You can also view your account access logs.