Evan Custodio, a researcher using the HackerOne bug bounty platform, reported a critical vulnerability to Slack in November of 2019. Custodio’s finding was an HTTP smuggling attack. This type of attack can arise when a front-end server or application forwards HTTP requests to one or more back-end servers. If the front-end and back-end servers parse the requests differently, the back-end server may be tricked into performing an extra request. Custodio found this type of vulnerability within one of Slack’s assets that could also lead to an open redirect. Combining the vulnerability with the open redirect, it was possible to automate collecting session cookies on a massive scale. Stealing session cookies would allow an attacker to take over Slack user accounts. Slack managed to patch the vulnerability within 24 hours and the vulnerability was made public on March 12th of this year.
Analyst Notes
To apply the security patch that fixes this vulnerability, simply continue letting Slack update automatically. This vulnerability was patched in November 2019, so if Slack was downloaded or even just opened any time recently, chances are that this patch has already been applied. If you suspect that Slack has not been updated, simply visit the respective app store that Slack was downloaded from or visit https://slack.com/ to download and install the latest version.
Sources: https://hackerone.com/reports/737140
https://www.zdnet.com/article/slack-vulnerability-allowed-session-hijacking-account-takeovers/
