"Five-Year-Old Slack Bug Transmitted Your Hashed Password After Interacting With a Sharing Feature"
Slack disclosed that a five-year-old Slack bug shared users' hashed passwords when they interacted with the vulnerable invitation feature. When users created or revoked a shared invitation link, the bug transmitted their hashed passwords to other group participants. Slack clarified that the leak only affected users who created a shared invite link for their workspace between April 17, 2017, and July 17, 2022. According to the Salesforce subsidiary, the Slack password was not visible anywhere on the platform or in any client. Therefore, only a threat actor actively monitoring the encrypted network traffic of Slack's servers could intercept the hashed password. The hashed password, however, could still be logged along with other packet data transmitted during link creation and revocation. Slack has notified all affected users and forced password resets for 50,000 accounts. Slack is used for official communication by many high-profile corporations and government organizations. Because of this, the Slack bug could be a target for sophisticated attackers with the resources to obtain a plaintext password from a hashed password. Advanced Persistent Threat (APT) actors have demonstrated their ability to exploit minor software bugs in previously unimaginable ways for cyber espionage and ransomware. According to the company's advisory, Slack users should check access logs for suspicious activity and enable two-factor authentication (2FA) as a precaution. This article continues to discuss the potential exploitation and impact of the five-year-old Slack vulnerability.