Slack has fixed a security flaw that allowed hackers to automate the takeover of arbitrary accounts after stealing session cookies using an HTTP Request Smuggling CL.TE hijack attack on https://slackb.com/.
Web security researcher and bug bounty hunter Evan Custodio reported the bug to the team collaboration platform’s security team via Slack’s HackerOne bug bounty program on November 14th.
Slack fixed the bug within 24 hours according to the bug report’s timeline and rewarded Custodio with a $6,500 bounty, with the report being publicly disclosed just two days ago.
Bug could have lead to a massive data breach
Custodio says that the bug was “extremely critical” for both Slack and all the platform’s customers and organizations that share private data, channels, and conversations on Slack as it “could lead to a massive data breach of a majority of customer data.”
Using an attack targeting this bug would have allowed malicious actors to create automated bots that could attack the vulnerable in-scope Slack asset continuously, jump onto a victim’s session, and steal all reachable data.
As Custodio further explained in his detailed write-up, the bug chain that allowed him to steal sessions cookies included multiple steps.
The researcher “exploited an HTTP Request Smuggling bug on a Slack asset to perform a CL.TE-based hijack onto neighboring customer requests,” the bug report reads.
“This hijack forced the victim into an open-redirect that forwarded the victim onto the researcher’s collaborator client with slack domain cookies.
“The posted cookies in the customer request on the collaborator client contained the customer’s secret session cookie. With this attack, the researcher was able to prove session takeover against arbitrary slack customers.”
Once the cookies got stolen, attackers would only have to plug the cookies into a browser and gain full control of the account, being able to collect and exfiltrate all the data.
So I did promise blog posts on RS CLTE-style attacks, I guess this will have to do for now. Often times with RS hijacking you can throw a victim into an open redirect to steal their tokens/cookies. Many thanks to @SlackHQ for fixing this within 24-hours of discovery #bugbounty https://t.co/EUm6pNgjlF
— Evan Custodio (@defparam) March 12, 2020
Slack fixed another bug — within five hours from disclosure — that would have allowed attackers to steal a user’s authentication token that could then provide full control over their messages and account.
That security flaw was reported by Detectify security researcher Frans Rosén three years ago, in March 2017, and it allowed attackers to set up malicious sites for stealing XOXS tokens.
The bug’s disclosure earned Rosén $3,000, Slack confirmed that they “resolved the postMessage and call-popup redirect issues, and performed a thorough investigation to confirm that this had never been exploited.”