时间:2026-07-08 07:33:25 来源:网络整理编辑:休閑
Slack and its scores of desktop app users just dodged a major bullet. The communications tool relied
Slack and its scores of desktop app users just dodged a major bullet.
The communications tool relied upon by journalists, tech workers, and D&D fans alike disclosed on Friday a "critical" vulnerability — now fixed — that would have let hackers run wild on users' computers. Slack's internal security team didn't even find the bug; rather, it was a third-party security researched who reported it, through the bug bounty platform HackerOne in January.
Notably, the exploit allowed for something known as "remote code execution," which is just as bad as it sounds. Before Slack fixed it, an attacker using the exploit could have done some pretty wild stuff, such as gaining "access to private files, private keys, passwords, secrets, internal network access etc.," and "access to private conversations, files etc. within Slack."
What's more, according to the disclosure, maliciously inclined hackers could have made their attack "wormable." In other words, if one person in your team got infected, their account would automatically re-share that dangerous payload to all their colleagues.
It's worth emphasizing that the security researcher who discovered this vulnerability — a process that takes untold hours of work and is a literal job — decided to do what many would consider the right thing and report it to Slack via HackerOne. For the security researcher, whose HackerOne handle is oskars,this resulted in a bug bounty payment of $1,750.
Of course, had that person wanted, they could have likely gotten much, much more money by selling it to a third-party exploit broker. Companies like Zerodium, which offer millions of dollars for zero-day exploits, in turn sell those exploits to governments.
Members of the computer security community were quick to point out the relatively paltry payout for such an important bug.
Tweet may have been deleted
Tweet may have been deleted
Tweet may have been deleted
We reached out to Slack in an effort to determine how it decides the size of its bug bounty payments, and whether or not it had a response to the criticism levied by members of the security community. In response, a company spokesperson replied that the amount Slack pays for bug bounties is not fixed in stone.
"Our bug bounty program is critical to keeping Slack safe," the spokesperson wrote in part. "We deeply value the contributions of the security and developer communities, and we will continue to review our payout scale to ensure that we are recognizing their work and creating value for our customers."
The spokesperson also noted that the company "implemented an initial fix by February 20."
SEE ALSO: 7 Slack privacy settings you should enable now
Interestingly, Slack does appear to have upped the amount it's willing to pay bug bounty researchers for coordinated disclosure. A look at its HackerOne profile page shows that, as of the time of this writing, reporting a remote code execution vulnerability would merit "$5000 and up."
Too late for oskars, but perhaps that will encourage the next security researcher who discovers a critical vulnerability in Slack to report it to the good guys. We should hope so, for the sake of Slack users everywhere.
UPDATE: Aug. 29, 2020, 1:49 p.m. PDT: This story has been updated to include Slack's statement.
TopicsCybersecurity
Photos show the Blue Cut fire blazing a path of destruction in California2026-07-08 07:27
新思路影視“幸福東莞 魅力大灣 2020少兒新春盛典”夢想揚帆,嶄新起航!2026-07-08 06:49
《青春拋物線》溫情收官 陳欣予夢想終成真一路前行2026-07-08 06:40
大師駕到·麥田房產2020老客戶開新嘉年華2026-07-08 06:38
Metallica to seek and destroy your eardrums with new album this fall2026-07-08 06:07
吳亦凡×《王者榮耀》背後 是一場音樂與遊戲的跨界共振2026-07-08 05:53
《陌路情徒》京津地區新聞發布會1.7日圓滿舉行2026-07-08 05:39
九鋒影視《天衣無縫》獲首屆“融屏傳播年度優選”雙份獎項2026-07-08 05:30
Olympic security asks female Iranian fan to drop protest sign2026-07-08 05:15
檀健次獻唱《點讚中國》2020群星盛典 展現當代青年新麵貌2026-07-08 05:13
Darth Vader is back. Why do we still care?2026-07-08 07:25
唐季禮 :電影走出去的核心是好故事2026-07-08 06:49
豪華資源助力 虎牙星盛典現場將“空投”驚喜虎糧袋2026-07-08 06:09
用歌聲描繪幸福 鄭爽帶父母參加2020北京台春晚2026-07-08 05:56
One of the most controversial power struggles in media comes to a close2026-07-08 05:44
馮提莫真實身高曝!路人側拍傻 :120cm?2026-07-08 05:43
吳鎮宇時隔多年再次出演古裝俠客 片場大秀演技2026-07-08 05:33
陶紅出席精美頒獎禮 斬獲年度實力女演員2026-07-08 05:29
Teacher absolutely nails it with new homework policy2026-07-08 05:15
劉奕君《劍王朝》即將收官 權力恩怨兩難平2026-07-08 04:53