Evan Custodio, a researcher using the HackerOne bug bounty platform, reported a critical vulnerability to Slack in November of 2019. Custodio’s finding was an HTTP smuggling attack. This type of attack can arise when a front-end server or application forwards HTTP requests to one or more back-end servers. If the front-end and back-end servers parse the requests differently, the back-end server may be tricked into performing an extra request. Custodio found this type of vulnerability within one of Slack’s assets that could also lead to an open redirect. Combining the vulnerability with the open redirect, it was possible to automate collecting session cookies on a massive scale. Stealing session cookies would allow an attacker to take over Slack user accounts. Slack managed to patch the vulnerability within 24 hours and the vulnerability was made public on March 12th of this year.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased