"Slack Forces Password Resets After Discovering Software Flaw"

Workplace productivity software giant Slack recently forced password resets for a tiny fraction of its users after the discovery of a security flaw that exposed Slack credentials.  Slack alerted users to the issue via email and followed up with a blog post warning about the risk of passwords leaking to a skilled attacker.  Slack noted that it has no reason at the moment to believe that anyone was able to obtain customers' plaintext passwords because of the vulnerability.  The bug was discovered and fixed in Slack's Shared Invite Link functionality, a feature that lets Slack workspace owners create a link that will permit anyone to join.  The feature is offered as an alternative to inviting people one by one via email to become workspace members.  However, for users who created and/or revoked one of these links between April 17, 2017, and July 17, 2022, Slack exposed a hashed password over the websocket to all users of the workspace who were currently connected to Slack.  Slack estimates it affected approximately 0.5% of users.  Slack noted that this hashed password was not visible in any Slack clients and that discovering it required actively monitoring encrypted network traffic coming from Slack's servers.  This bug was found by an independent security researcher and disclosed to them on July 17, 2022.

SecurityWeek reports: "Slack Forces Password Resets After Discovering Software Flaw"