The office communication platform Slack is known for being easy and intuitive to use. But the company said on Friday that one of its low-friction features contained a vulnerability, now fixed, that exposed cryptographically scrambled versions of some users’ passwords.
When users created or revoked a linkknown as a Shared Invite Linkthat others could use to sign up for a given Slack workspace, the command also inadvertently transmitted the link creator’s hashed password to other members of that workspace. The flaw impacted the password of anyone who made or scrubbed a Shared Invite Link over a five-year period, between April 17, 2017, and July 17, 2022.
Slack, which is now owned by Salesforce, says a security researcher disclosed the bug to the company on July 17, 2022. The errant passwords weren’t visible anywhere in Slack, the company notes, and could have only been apprehended by someone actively monitoring relevant encrypted network traffic from Slack’s servers. Though the company says it’s unlikely that the actual content of any passwords were compromised as a result of the flaw, it notified impacted users on Thursday and forced password resets for all of them.
Slack said the situation impacted about 0.5 percent of its users. In 2019, the company said it had more than 10 million daily active users, which would mean roughly 50,000 notifications. By now, the company may have nearly double that number of users. Some users who had passwords exposed throughout the five years may not still be Slack users today.
We immediately took steps to implement a fix and released an update the same day the bug was discovered, on July 17th, 2022, the company said in a statement. Slack has informed all impacted customers and the passwords for impacted users have been reset.
The company did not respond to questions from WIRED by press time about which hashing algorithm it used on the passwords and whether the incident has prompted broader assessments of Slack’s password-management architecture.
It’s unfortunate that in 2022 we’re still seeing bugs that are clearly the result of failed threat modeling, says Jake Williams, director of cyber threat intelligence at the security firm Scythe. While applications like Slack definitely perform security testing, bugs like this that only come up in edge case functionality still get missed. And obviously, the stakes are very high when it comes to sensitive data like passwords.
The situation underscores the challenge of designing flexible and usable web applications that are also architected to silo and limit access to high-value data like passwords. If you received a notification from Slack, change your password and make sure you have two-factor authentication turned on. You can also view the access logs for your account.