Slack bug uncovered hashed passwords for some customers for five years

Contact the workplace Slack is thought for being straightforward to make use of and intuitive. However the firm He mentioned On Friday, considered one of its low-friction options contained a now-fixed vulnerability that uncovered encrypted variations of some customers’ passwords.

When customers created or revoked a hyperlink – generally known as a “shared invite hyperlink” – that others may use to register in a selected Slack workspace, the command additionally inadvertently handed the hashed generator password to different members of that workspace. The flaw affected the password of anybody who created or deleted a shared invite hyperlink over a five-year interval, between April 17, 2017 and July 17, 2022.

Slack, which is now owned By Salesforce, says a safety researcher uncovered the bug to the corporate on July 17, 2022. The incorrect passwords weren’t seen anyplace in Slack, the corporate notes, and will solely have been caught by somebody actively monitoring related encrypted community site visitors from Slack servers. Though the corporate says it’s unlikely that the precise content material of any passwords was compromised on account of the flaw, it notified affected customers on Thursday and compelled a password reset for all of them.

Slack mentioned the state of affairs affected about 0.5 % of its customers. In 2019 the corporate He mentioned It had greater than 10 million every day lively customers, which suggests almost 50,000 notifications. Now, the corporate It might have virtually doubled This variety of customers. Some customers who’ve had passwords uncovered over the previous 5 years should still be Slack customers as we speak.

“We instantly took steps to implement the repair and launched an replace on the identical day the bug was found, on July 17, 2022,” the corporate mentioned in a press release. Slack has notified all affected prospects and the affected customers’ passwords have been reset.

The corporate has not responded to WIRED’s questions at press time in regards to the hashing algorithm it used on passwords or whether or not the incident has led to broader assessments of Slack’s password administration structure.

“It is unlucky that in 2022 we’re nonetheless seeing errors clearly attributable to the failed menace mannequin,” says Jake Williams, director of cyber menace intelligence at safety agency Scythe. “Whereas apps like Slack actually do safety checks, errors like this one which solely seem in high-end state features are nonetheless lacking. The stakes are clearly very excessive on the subject of delicate information like passwords.”

The state of affairs highlights the problem of designing versatile and usable internet purposes that additionally work in isolation and restrict entry to high-value information corresponding to passwords. In the event you get a notification from Slack, change your password, and be sure to get Two-factor documentation employment. You may as well view your account’s entry logs.

The Information Weblog The place You Get The Information First
Feed: All Newest
#Slack #bug #uncovered #hashed #passwords #customers #years