HomeTechA Slack Bug Exposed Some Users' Hashed Passwords for 5 Years |...

A Slack Bug Exposed Some Users’ Hashed Passwords for 5 Years | NEWSRUX

The workplace communication platform Slack is understood for being straightforward and intuitive to make use of. However the firm stated on Friday that one in every of its low-friction options contained a vulnerability, now fastened, that uncovered cryptographically scrambled variations of some customers’ passwords. 

When customers created or revoked a hyperlink—generally known as a “Shared Invite Hyperlink”—that others may use to enroll in a given Slack workspace, the command additionally inadvertently transmitted the hyperlink creator’s hashed password to different members of that workspace. The flaw impacted the password of anybody who made or scrubbed a Shared Invite Hyperlink over a five-year interval, between April 17, 2017, and July 17, 2022.

Slack, which is now owned by Salesforce, says a safety researcher disclosed the bug to the corporate on July 17, 2022. The errant passwords weren’t seen wherever in Slack, the corporate notes, and will have solely been apprehended by somebody actively monitoring related encrypted community site visitors from Slack’s servers. Although the corporate says it is unlikely that the precise content material of any passwords had been compromised on account of the flaw, it notified impacted customers on Thursday and compelled password resets for all of them. 

Slack stated the state of affairs impacted about 0.5 % of its customers. In 2019, the corporate stated it had greater than 10 million day by day energetic customers, which might imply roughly 50,000 notifications. By now, the corporate might have practically double that variety of customers. Some customers who had passwords uncovered all through the 5 years might not nonetheless be Slack customers as we speak.

“We instantly took steps to implement a repair and launched an replace the identical day the bug was found, on July seventeenth, 2022,” the corporate stated in a press release. “Slack has knowledgeable all impacted prospects and the passwords for impacted customers have been reset.”

The corporate didn’t reply to questions from WIRED by press time about which hashing algorithm it used on the passwords and whether or not the incident has prompted broader assessments of Slack’s password-management structure.

“It is unlucky that in 2022 we’re nonetheless seeing bugs which are clearly the results of failed menace modeling,” says Jake Williams, director of cyber menace intelligence on the safety agency Scythe. “Whereas purposes like Slack positively carry out safety testing, bugs like this that solely come up in edge case performance nonetheless get missed. And clearly, the stakes are very excessive in relation to delicate knowledge like passwords.”

The state of affairs underscores the problem of designing versatile and usable net purposes which are additionally architected to silo and restrict entry to high-value knowledge like passwords. Should you acquired a notification from Slack, change your password and be sure you have two-factor authentication turned on. You too can view the entry logs to your account.

#Slack #Bug #Uncovered #Customers #Hashed #Passwords #Years


New updates