Slack resets passwords en masse after invite link vulnerability

Dive Brief:

• Slack proactively reset the passwords of 0.5% of its users on Thursday after it was alerted to a vulnerability that transmitted hashed versions of user passwords to other workspace members.
• The enterprise messaging and collaboration platform said in a blog post it fixed the bug in the shared invite link functionality, which creates a link to permit others to join a Slack workspace.
• The bug affected all users that created or revoked a shared invite link between April 17, 2017 and July 17, 2022, Slack said. The feature is available to all Slack users by default, but not guests, and owners and administrators can change settings to require admin approval.

Dive Insight:

Slack said it fixed the bug the same day it was discovered and notified impacted users that their passwords were reset 18 days later.

“We have no reason to believe that anyone was able to obtain plaintext passwords because of this issue,” the company said.

The vulnerability, which was discovered by an independent security researcher and disclosed to Slack on July 17, affects at least 60,000 users but likely more. Slack has more than 169,000 paid enterprise customers but hasn’t disclosed its daily active user base since it reported more than 12 million in September 2019. 

A company spokesperson declined to say how many customers were impacted beyond the 0.5% figure. Customers are growing and spending more with the company. 

The number of customers spending more than $100,000 on Slack each year has grown more than 40% on an annualized basis for four consecutive quarters, Salesforce co-CEO Bret Taylor said during the company’s latest earnings call in May, for the period ending April 30. Salesforce closed its $27.7 billion acquisition of Slack in July 2021. 

The consistent rise of remote work tools, such as Slack, extends the threat of vulnerabilities to a widening pool of organizations.

Slack, in an email sent to an affected customer and confirmed authentic by a company spokesperson, said the hashed password of a user who created or revoked a shared invite link was included in the hidden events of raw data streamed from Slack’s servers over a websocket processed by a Slack client app.

The company said the hashed password was not stored or displayed in any Slack client, and discovery required active encrypted network traffic monitoring.

“We use a technique called salting to further protect these hashes,” Slack wrote in the email to affected customers. “Hashed and salted passwords are secure, but not perfect — they are still subject to being reversed via brute force — which is why we’ve chosen to reset the passwords of everyone affected.”

Comments are closed.