Remote Code Execution in Slack desktop apps

> You would sell something like this, so someone can be spied upon or maybe literally chopped to pieces? Jesus, not everything is about money

If you haven't had food for a few days everything is indeed about money. Either you reward someone properly for the work that they can do or they'll find someone else who does. I doubt most people get fuzzy warm feelings helping a big US corporation that's too greedy to actually pay independent researchers properly.

Edit: That's not to say your work wasn't cool btw. It's very admirable for you to view it the way you do.

> I find everyone talking about black markets etc. kind of ridiculous. Really? You would sell something like this, so someone can be spied upon or maybe literally chopped to pieces?

I work with some security engineers who in previous jobs used to write exploits for the highest bidder. Their stuff ended up being used for exactly this. One of them even told me quite proudly, you know that exploit that was in the news, that was mine.

The lack of any ethical framework other than "I want to make as much money as possible" viscerally disgusts me. And there is far too much of this in our industry, it's rife with this sort of ingrained dollar-chasing selfishness with not a care of the consequences.

Good on you for taking a positive ethical stand against this. It's very refreshing to hear.

I really hope they amend the bounty paid to actually compensate you for the find.

As a slack user, seeing them pay < $2K for RCE report does not make me feel safe. Next person finding something similar might be looking into this and saying "$3K? no thank you, I take the risk of getting caught but being paid fairly."

To be clear I am not advocating for this, but it makes me concerned as a user "some people" will be more likely to do it.

I haven't said anything about black markets but:

>You would sell something like this, so someone can be spied upon or maybe literally chopped to pieces? Jesus, not everything is about money

Not me, not you, but many people make it all about money. I don't think it's ridiculous to think that people can have absolutely zero ethics.

Read your report and the way you handled things both on technical and human perspective was perfect. Sorry that they made it so difficult to disclose. We are hiring if you ever need a job! https://serpapi.com/team

Out of curiosity, what do you feel a competitive bug bounty would be for this type of report?

It would be interesting if security reporters had a habit of ending their reports with what they feel is the fair market rate.

I'm so sorry this happened, the CSO reached out and acknowledged the issue which was.. The minimum, but I'd be doing an internal RCA at Slack for how that post made it public without any acknowledgement.

Just sucks - marketing, legal, the engineer and peers who reviewed it, security..

> Sure the bounty is low, but ultimately it's their money and their decision.

Uh lol.

Bug bounties gravitate to their market value by showing companies how valuable they actually are and forcing them to learn.

Do you have more info on the javascript piece? I cant find docs for those object properties like delegate anywhere

your response wrt black markets strikes me as incredibly naive knowing all the crime, murder, gross negligence causing death and corruption there is and has been literally everywhere on the planet, since forever, for money

Unfortunately, we live in a world governed by money as a motivator. While you might not be in it for the money, many people are, to a certain degree (you know, to make a living and to be able to afford a decent life). If companies are unwilling to pay anything remotely close to what researchers' time is worth, then they shouldn't wonder when people prefer to sell the exploits that they find to those who do value their work appropriately.

And frankly, we shouldn't be giving companies a pass for being cheap because "reporting it responsibly" is the right thing to do. These companies are benefiting to a great degree by offloading vital security research onto unaffiliated and unknown third-parties. Your time, as well as the time of any other hacker or researcher, is valuable and needs to be compensated. I don't see why it's fair to any of us that we should have to work for free or for low pay-outs just because we might be doing the right thing. Same goes for any other career that is badly paid just because "they're helping people".

> I find everyone talking about black markets etc. kind of ridiculous. Really? You would sell something like this, so someone can be spied upon or maybe literally chopped to pieces? Jesus, not everything is about money - it was a fun challenge to chain it all together and I learned a lot from it.

Slack is directly taking advantage of that being the only alternative. You can do whatever you want with the money. However, having a robust bug bounty program ensures a wide range of people are both willing and able to look for and report vulnerabilities. This needs to be a requirement for any large successful company handling a large amount of user data. Slack can definitely afford it, and this can be used against them the next time they report a breach.

Everyone's talking about low payout, but honestly the timeline seems much more annoying to me and harder to justify (was the fix for this really that hard?)

They can't go back in time and change how they did it, and they did explain and apologised for not handling it correctly.

Stuff like that happen. We should only judge them if they screw up like that again.

I found a XSS bug in a popular note taking app. It would allow an attacker to download all the users notes just by having them visit a URL.

I reported it on HackerOne, it was only after I refused to post it on their free program that they added me to their paid private one.

It was marked as "medium", I got $250 for it.

Damn, didn't know $1750 was low. I got something similar for reporting an exploit to Microsoft, where opening an attached ICS/calendar entry in Outlooks web client allowed me to execute arbitrary JavaScript on outlook.microsoft.com as the current user. Should have asked for more!

> since Electron brings XSS to the desktop, it is a hackers paradise.

Just curious - what makes XSS on the desktop different from other kinds of RCE vulnerability?

When running a security bounty, what makes me afraid is the compounding factor of finding the same kind of issue several times in different places, thereby multiplying the cost by 20. Of course $1750 is cheap, but I’d happily donate more if there is there were no risk of paying repeat bounties, given a week between them to fix each category of security failure I learn about.

By the way, the security bounty should be mandatory to display to customers. It’s like saying “We don’t value the sum of all your data of all customers to more than $1750”.

Can you support that statement about the black market with evidence?

How would you even monetize that? This requires an existing employee access to be able to post a message to the company slack and hope other employees click it.

The vulnerability could do great to pown a company as long as you already have a compromised user account in the company. That's not a wormable RCE, that's not zero click (I'm not saying it's not bad).

Is there a market for high touch highly targeted attacks, maybe, if you can enter in business with the NSA or a ransomware group, those few who can monetize this sort of things. Good luck.

They have; you may have heard of ransomware. :)

>$1750 for that?! Security researchers need to organize!

https://hackerone.com/slack?type=team

It says right on the tin what the payout is going to be. If you don't like the terms of the program, don't participate. It's not really that difficult a concept.

Yep. HTML is a huge surface, so just blocking "interesting" tags / attributes is fragile at best (Similar to misguided attempts to block SQL injection through string validation instead of cutting off the root cause).

The other moral of the story is you need to be extra careful to write a secure Electron program, since XSS is a bigger problem than it would be in a desktop browser. Step 3 shows that the RCE could execute programs outside of the JS environment.

Yes, blacklisting html tags instead of whitelisting (or parsing into some abstract form and reserializing) is a world of pain and very hard to get right.

Additionally, csp/iframe have a sandbox flag that can prevent navigating the _top target, which may have prevented this exploit assuming it could have been used (dont know what the slack code looks like, maybe there was some reason it wasn't applicable)

> A simple feature like shared channels

You think merging two or more organizations workspaces in a sane and secure manner after likely basing the entire app infrastructure around the idea of a single workspace is a "simple feature"? This is a textbook example of the classic HN comment "Why does this this company need X engineers to create Y product. I could do it in a weekend."

They would've spent multiples of that internally, just fumbling about trying to reproduce the vulnerability.

I had a very similar experience with Slack. We were working with their support team because we didn’t realize a vulnerability was present at first. We thought maybe we had misconfigured something. Basically, we could log in to Slack Desktop with user a, but sometimes the screen would blink, then you would have full access to user b’s chats, you were messaging as them, etc. The Slack team told us to clear our browser cache. We tried that and told them the issue didn’t seem to be tied to a browser. Slack just kept telling us to clear cache, but we were growing more alarmed by the app behavior as a standard user suddenly got access to an administrator account and was able to perform all functions. Finally, we started digging into it ourselves until we could reproduce the issue. Slack didn’t get serious with us until we sent them a recording of us doing it, then their responses got strange. All of our emails back to the technicians were getting intercepted by someone higher up in the company, and we were getting a lot of non-answers. We were told a fix was put in place, but they wouldn’t know what happened until they added additional logging in two months time.

I don’t know where I’m going with this, but the correspondence with Slack just felt off to me. I was also disappointed that we were shouting from the rooftops a serious vulnerability, and we kept getting responses like “clear cache, try reinstalling the app.”

Unless Slack does the right thing and pays this researcher properly. It is never too late until it is.

This. It's just insane to use all these Electron-based apps giving them access to all your data.

Curious what the hate for Slack is. I use a 1-person Slack workspace for personal note-taking and memory extension, and I find it is also a super useful tool to manage ideas, photos, shared files in romantic relationships.

For either use case the ability to write bots for it, and the fact that it syncs across devices with multiple simultaneous logins is awesome.

Is there something better?