时间:2025-07-19 06:39:09 来源:网络整理编辑:百科
Slack and its scores of desktop app users just dodged a major bullet. The communications tool relied
Slack and its scores of desktop app users just dodged a major bullet.
The communications tool relied upon by journalists, tech workers, and D&D fans alike disclosed on Friday a "critical" vulnerability — now fixed — that would have let hackers run wild on users' computers. Slack's internal security team didn't even find the bug; rather, it was a third-party security researched who reported it, through the bug bounty platform HackerOne in January.
Notably, the exploit allowed for something known as "remote code execution," which is just as bad as it sounds. Before Slack fixed it, an attacker using the exploit could have done some pretty wild stuff, such as gaining "access to private files, private keys, passwords, secrets, internal network access etc.," and "access to private conversations, files etc. within Slack."
What's more, according to the disclosure, maliciously inclined hackers could have made their attack "wormable." In other words, if one person in your team got infected, their account would automatically re-share that dangerous payload to all their colleagues.
It's worth emphasizing that the security researcher who discovered this vulnerability — a process that takes untold hours of work and is a literal job — decided to do what many would consider the right thing and report it to Slack via HackerOne. For the security researcher, whose HackerOne handle is oskars,this resulted in a bug bounty payment of $1,750.
Of course, had that person wanted, they could have likely gotten much, much more money by selling it to a third-party exploit broker. Companies like Zerodium, which offer millions of dollars for zero-day exploits, in turn sell those exploits to governments.
Members of the computer security community were quick to point out the relatively paltry payout for such an important bug.
Tweet may have been deleted
Tweet may have been deleted
Tweet may have been deleted
We reached out to Slack in an effort to determine how it decides the size of its bug bounty payments, and whether or not it had a response to the criticism levied by members of the security community. In response, a company spokesperson replied that the amount Slack pays for bug bounties is not fixed in stone.
"Our bug bounty program is critical to keeping Slack safe," the spokesperson wrote in part. "We deeply value the contributions of the security and developer communities, and we will continue to review our payout scale to ensure that we are recognizing their work and creating value for our customers."
The spokesperson also noted that the company "implemented an initial fix by February 20."
SEE ALSO: 7 Slack privacy settings you should enable now
Interestingly, Slack does appear to have upped the amount it's willing to pay bug bounty researchers for coordinated disclosure. A look at its HackerOne profile page shows that, as of the time of this writing, reporting a remote code execution vulnerability would merit "$5000 and up."
Too late for oskars, but perhaps that will encourage the next security researcher who discovers a critical vulnerability in Slack to report it to the good guys. We should hope so, for the sake of Slack users everywhere.
UPDATE: Aug. 29, 2020, 1:49 p.m. PDT: This story has been updated to include Slack's statement.
TopicsCybersecurity
This German startup wants to be your bank (without being a bank)2025-07-19 06:35
帥位穩了 !安切洛蒂下季必留隊 逆轉大巴黎成關鍵2025-07-19 06:17
李霄鵬透露巴西歸化無法歸隊:誰能拚誰上 有困難提出來2025-07-19 06:14
英媒 :曼城6300萬鎊違約金簽哈蘭德 總費用高達1億2025-07-19 05:55
Olympian celebrates by ordering an intimidating amount of McDonald's2025-07-19 05:37
官宣 !季莫什丘克遭烏克蘭足協除名 取消一切榮譽2025-07-19 05:27
廣州城致敬程月磊唐淼:中超首勝10周年 僅他倆仍在隊中2025-07-19 05:13
朗尼克:如果拉什福德不開心 可以在夏天離開曼聯2025-07-19 04:50
Give your kitchen sponge a rest on this adorable bed2025-07-19 04:17
隊報評巴黎前景:梅西為世界杯留隊 內馬爾爛手裏2025-07-19 03:54
There's a big piece of fake chicken stuck to this phone case2025-07-19 06:37
英媒:曼城6300萬鎊違約金簽哈蘭德 總費用高達1億2025-07-19 06:30
國足12強賽最後兩戰加速新陳代謝 ? 近期教學賽“95後”球員占較大比重2025-07-19 06:23
最好褒獎!名記:皇馬欲續約本澤馬 新合同至20242025-07-19 06:09
Plane makes emergency landing after engine rips apart during flight2025-07-19 05:50
朗尼克 :沒問過C羅在曼聯是否開心 他可以出戰熱刺2025-07-19 04:53
國足4名巴西歸化表態無法進行體測 或無緣12強賽剩餘兩戰2025-07-19 04:37
帥位穩了 !安切洛蒂下季必留隊 逆轉大巴黎成關鍵2025-07-19 04:37
Australian football makes history with first LGBT Pride Game2025-07-19 04:32
尤文前瞻 :斑馬全麵占優 弗拉霍維奇再現克星本色2025-07-19 04:28