Critical vuln that lets miscreants hijack computers via Slack? *Sucks in air* We'll give you $1,750 for it A critical remote-code-execution vulnerability affecting past versions of the Slack desktop app was disclosed on Friday after the software maker fixed its app. The behind-the-scenes wrangling leading up to the patch has prompted criticism regarding the size of the bug bounty reward for the vulnerability, and the persistent …
Slack is used by many organisations where trust is implicit, such as user groups and MeetUp groups. The owners of the Slack "org" can vouch for almost no one, and know most users only by their interactions within the Slack org itself. Getting an invitation takes almost no work at all.
Slack should have ponied up and paid a lot more for this bug.
Slack is gonna look so secure as bug reports fall
Looks like Slack realised it's too insecure; "look at all these critical vulnerabilities reported to us!"...
... and decided to fix it by adjusting what counts as critical; "look boss, bug bounty paid out 60% fewer bounties for critical exploits - we're so secure now!"
I bet they get a bonus for it too.
Actually a well known (legal) vuln brokerage tweeted out saying the next one someone finds in a similar manner to approach them & they would offer 10k for it. You don't have to join hackerone or the other bounty schemes to sell a vuln.
So, now slack can expect to get hit with 0 day disclosures and be part of well funded exploit buyers attack toolkits.
Silly Slack, and they come from this culture and 100% should have known how this works. I guess their huge market cap, turnover and resources didn't quite cover rewarding researchers so they don't go elsewhere with their findings. Their loss.
As a long time lurker at El Reg (and TWIT) seems to me that security has never been part of this culture, from winxp all the way up to zoom none of these MoFos ( err, Men Of Fortune) has ever been punished for poor security and it’s consequences, not financially, not with jail definitely not social shame. Bill Gates is celebrated for his fight against malaria with OUR OWN MONEY, ahem,Hank Scorpio keeps trying to take over the world and he gets a cameo on tv¿, and every single critic of Mark Zuckerberg has a Facebook page, an Instagram account and bitches too his friends through WhatsApp.
Oopsie, I ran into a rant
In an Electron "app" that also means "replace the entire Electron binary with one that does whatever the miscreant so desires".
Thus leaving a fun timebomb that will explode next time the user starts the thing.
Electron drives a coach and horses through the OS security model, so your only defence is Electron itself.
Which apparently has no defences by default. Joy.
This has been going on ever since bug bounties were 'launched' as platforms (ie. bugcrowd, hackerone, Synack) back in 2012/13. I once found a bug for a Nasdaq listed company that's valued at a few billion $ and that has about 200-300 million users. The bug allowed me to extract all 300 million account details, and then modify said account details all from an unauthenticated remote position. I got paid 5000$. When I found a second bug which did the same thing a few months later, this dropped to 1500$...
Even further back when cyber intelligence companies first started offering bounties independent of developers.
The problem is the bug finder has almost no power in the negotiation. You get what you're given. I think it's best viewed as a freelance apprenticeship, or something on the side if you happen to be uncovering bugs anyway in your day-job. Then the payout only needs to cover your report writing time. Unfortunately the lottery aspect of it sucks people in with big expectations, in much the same way multi-level marketing does.
I found an SQLi (which went further with outfile which could pivot to a shell and the application was run as root for someone reason) in a piece of software that the vendor sold to multiple orgs, meaning it was vulnerable for every customer.
I got £40, I thought being paid beer money for stuff was limited to fixing your mum's printer. but I'm loathe to try and ask for more as the industry has too many stories of a company just flat out screaming blackmail, terminating safe harbour and threaten to call the cops if you object to the pittance
And that's not even mentioning a newbie triage guy saying "not in scope we don't own that company" for a huge vuln, the other triage guy gave me 5k for a smaller bug which got fixed on the same software go get him!
"My fundamental complaint with Electron is that relatively basic usage still demands that non-security devs understand the full security properties of their system and scope broker usage appropriately," said Justin Schuh, engineering director for Google Chrome, via Twitter. "That's not reasonable, given it's one of the hardest tasks for security experts."
Yes, it IS reasonable. If you are a dev, it is your effing job to understand the ramifications of the code that you write AND of the libraries you import. Saying that developers are not responsible for the security of their code is like saying engineers are not responsible for the structural integrity of the bridges they build.
If this is a problem, then maybe you shouldn't be using the stupidest, most poorly designed programming language ever designed in the history of computer science.
"Electron is a cross-platform framework that allows developers to create desktop client code using HTML, JavaScript, and CSS that runs on Linux, macOS, and Windows, atop a Chromium-based browser foundation tied to Node.js. Known for being easy to use and hard to secure"
And also being known to suck up RAM like nothing else. Slack on my work machine, at the time of writing this post, has sucked up just over 5GB of RAM. To need 5GB of RAM to do what is effectively a slightly glorified IRC client is mental, and just demonstrates how poor the "developers" of Slack and/or Electron are.
Not to mention this general trend of a desktop app being a loose wrapper around a web-browser + website bundle is just dumb. The whole point of a desktop app is that it is not a web app. If I wanted web-based bloat, I would just use the app on my browser. Don't sell me on "we have a desktop app", which turns out to just be a locally run web server + browser + webapp in a horrendous bloated bundle. That is even worse than just using the web-app in the first place.
The only silver lining, is that this level of bloat is causing my company to purchase new laptops for all of us, so we can run Slack and something actually productive at the same time (we get a bump from 8GB to 32GB of RAM).
The Register - Independent news and views for the tech community. Part of Situation Publishing
Biting the hand that feeds IT © 1998–2020
