• About
  • Advertise
  • Careers
  • Contact
Monday, March 20, 2023
No Result
View All Result
NEWSLETTER
Cyber360 News
  • Home
  • Security
  • Data Breach
  • Cyber Attacks
  • Cyber Security
  • Cyber Crime
  • Contact Us
  • Home
  • Security
  • Data Breach
  • Cyber Attacks
  • Cyber Security
  • Cyber Crime
  • Contact Us
No Result
View All Result
Cyber360 News
No Result
View All Result
Home Security

Slack bugs allowed take over victims’ accounts

by Cyber360 News
March 15, 2020
in Security
0
Slack bugs allowed take over victims’ accounts
0
SHARES
1
VIEWS
Share on FacebookShare on Twitter

Slack addressed a critical flaw within 24 hours from its disclosure, the issue allowed attackers to carry out automate account takeover.

The researcher Evan Custodio discovered a critical vulnerability in Slack that could have allowed attackers to launch automate account takeover.

Slack addressed the vulnerability within 24 hours it was reported by the researcher, the company rewarded Custodio with a $6,500 bounty.

So I did promise blog posts on RS CLTE-style attacks, I guess this will have to do for now. Often times with RS hijacking you can throw a victim into an open redirect to steal their tokens/cookies. Many thanks to @SlackHQ for fixing this within 24-hours of discovery #bugbounty https://t.co/EUm6pNgjlF

— Evan Custodio (@defparam) March 12, 2020

Custodio “exploited an HTTP Request Smuggling bug on a Slack asset to perform a CL.TE-based hijack onto neighboring customer requests.”

The expert explained that the bug is extremely critical not only for Slack, but also for all customers and organizations which share their private data/channels/conversations on Slack.

“So it is my opinion that this is a severe critical vulnerability that could lead to a massive data breach of a majority of customer data. With this attack it would be trivial for a bad actor to create bots that consistantly issue this attack, jump onto the victim session and steal all possible data within reach.” explained the expert.

An attacker could have exploited this issue to create automated bots that are able to access a victim’s Slack session and steal sensitive data.

As Custodio further explained in his detailed write-up, the bug chain that allowed him to steal sessions cookies included multiple steps.

Below the bug chain reported in the bug report:

  • 1) HTTP Request Smuggling CTLE to Arbitrary Request Hijacking (Poisoned Socket) on slackb.com.
  • 2) Request Hijack forces victim HTTP requests to instead use GET https:// HTTP/1.1 on slackb.com
  • 3) A request of GET https:// HTTP/1.1 on the backend server socket results in a 301 redirect to https:// with slack cookies (most importantly the d cookie)
  • 4) Me with my Burp Collaborator steals victims cookies by using a collaborator server as the defined in the attack
  • 5) Me (if I were evil) collects massive amounts of d session cookies and steals any/all possble Slack user/organization data from victim sessions

The bug could allow stealing cookies and used them into a browser to take over the account.

“This hijack forced the victim into an open-redirect that forwarded the victim onto the researcher’s collaborator client with slack domain cookies.” explained the expert.

“The posted cookies in the customer request on the collaborator client contained the customer’s secret session cookie. With this attack, the researcher was able to prove session takeover against arbitrary slack customers.”

Slack also addressed another issue, which would allow an attacker running a malicious site to steal XOXS tokens and gain full control over victims’ accounts.

The flaw was reported by the researcher Frans Rosen that received a $3,000 bounty.

Pierluigi Paganini

(SecurityAffairs – hacking)



Share On


Cyber360 News

Cyber360 News

Next Post
The plaintiffs failed to demonstrate loss or injury as a result of increased risk of identity theft.

Eight million EU retail sales records exposed on AWS MongoDB

Recent Posts

Twitch’s Entire Critical Data Leaked, Includes Streamer Earnings, Source Code

Twitch’s Entire Critical Data Leaked, Includes Streamer Earnings, Source Code

October 6, 2021
Former U.S. Security Firm Helped The UAE Carry Out “Karma” iMessage Hack: MIT Tech Review

Former U.S. Security Firm Helped The UAE Carry Out “Karma” iMessage Hack: MIT Tech Review

October 1, 2021
Facing “This App Has Been Blocked For Your Protection” Issue? Here’s How You Can Fix It

Facing “This App Has Been Blocked For Your Protection” Issue? Here’s How You Can Fix It

October 1, 2021

Whats New in Kali Linux?

September 14, 2021

Kali Linux 2019.3 Release (CloudFlare, Kali-status, metapackages, Helper-Scripts & LXD)

September 14, 2021

Kali Linux 2021.3 Release (OpenSSL, Kali-Tools, Kali Live VM Support, Kali NetHunter Smartwatch)

September 14, 2021

Kali Linux 2018.4 Release

September 14, 2021

Kali Linux 1.0.5 and Software Defined Radio

September 14, 2021

Kali Tools Website Launched, 1.0.9 Release

September 14, 2021

Kali Linux Dojo at Black Hat Vegas 2016

September 14, 2021

Category

Site Links

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org

About Us

We bring you the best Premium WordPress Themes that perfect for news, magazine, personal blog, etc. Check our landing page for details.

© 2019 Cyber360 News - Powered by WebSensePro

No Result
View All Result
  • Home
  • Security
  • Data Breach
  • Cyber Attacks
  • Cyber Security
  • Cyber Crime
  • Contact Us

© 2019 Cyber360 News - Powered by WebSensePro

Login to your account below

Forgotten Password?

Fill the forms bellow to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In