back to article Critical vuln that lets miscreants hijack computers via Slack? *Sucks in air* We'll give you $1,750 for it

A critical remote-code-execution vulnerability affecting past versions of the Slack desktop app was disclosed on Friday after the software maker fixed its app. The behind-the-scenes wrangling leading up to the patch has prompted criticism regarding the size of the bug bounty reward for the vulnerability, and the persistent …

  1. QM64

    "People You Trust"

    Slack is used by many organisations where trust is implicit, such as user groups and MeetUp groups. The owners of the Slack "org" can vouch for almost no one, and know most users only by their interactions within the Slack org itself. Getting an invitation takes almost no work at all.

    Slack should have ponied up and paid a lot more for this bug.

  2. Sorry that handle is already taken. Silver badge

    "We deeply value the contributions of the security and developer communities"

    Apparently they don't also broadly value those contributions.

    1. Anonymous Coward
      Anonymous Coward

      Re: "We deeply value the contributions of the security and developer communities"

      If the reward isn't big enough, just post the vuln on the open web. Too many organizations rely on bounties to catch their sloppiness. They need to become fearful at every revision release.

  3. osakajin Bronze badge

    Can't we all just get along?

  4. Mark192 Bronze badge

    Slack is gonna look so secure...

    Slack is gonna look so secure as bug reports fall

    Looks like Slack realised it's too insecure; "look at all these critical vulnerabilities reported to us!"...

    ... and decided to fix it by adjusting what counts as critical; "look boss, bug bounty paid out 60% fewer bounties for critical exploits - we're so secure now!"

    I bet they get a bonus for it too.

    1. Yet Another Anonymous coward Silver badge

      Re: Slack is gonna look so secure...

      And think of all the free publicity they will get when large organisations are hacked because of a slack bug.

      Soon CTOs will all be discussing slack

  5. SmartAlec

    He could have got double that on ebay

    Imagine other places.... thank goodness there's credit for work which they can cash in later that's at least worth something!

    1. SmartAlec

      Re: He could have got double that on ebay

      ....oh wait....

    2. Outer mongolian custard monster from outer space (honest)

      Re: He could have got double that on ebay

      Actually a well known (legal) vuln brokerage tweeted out saying the next one someone finds in a similar manner to approach them & they would offer 10k for it. You don't have to join hackerone or the other bounty schemes to sell a vuln.

      So, now slack can expect to get hit with 0 day disclosures and be part of well funded exploit buyers attack toolkits.

      Silly Slack, and they come from this culture and 100% should have known how this works. I guess their huge market cap, turnover and resources didn't quite cover rewarding researchers so they don't go elsewhere with their findings. Their loss.

      1. ryokeken

        “They come from this culture” yup and have been consistent

        As a long time lurker at El Reg (and TWIT) seems to me that security has never been part of this culture, from winxp all the way up to zoom none of these MoFos ( err, Men Of Fortune) has ever been punished for poor security and it’s consequences, not financially, not with jail definitely not social shame. Bill Gates is celebrated for his fight against malaria with OUR OWN MONEY, ahem,Hank Scorpio keeps trying to take over the world and he gets a cameo on tv¿, and every single critic of Mark Zuckerberg has a Facebook page, an Instagram account and bitches too his friends through WhatsApp.

        Oopsie, I ran into a rant

  6. Richard 12 Silver badge

    "Run arbitrary code"

    In an Electron "app" that also means "replace the entire Electron binary with one that does whatever the miscreant so desires".

    Thus leaving a fun timebomb that will explode next time the user starts the thing.

    Electron drives a coach and horses through the OS security model, so your only defence is Electron itself.

    Which apparently has no defences by default. Joy.

  7. Anonymous Coward
    Anonymous Coward

    Welcome to bug bounties

    This has been going on ever since bug bounties were 'launched' as platforms (ie. bugcrowd, hackerone, Synack) back in 2012/13. I once found a bug for a Nasdaq listed company that's valued at a few billion $ and that has about 200-300 million users. The bug allowed me to extract all 300 million account details, and then modify said account details all from an unauthenticated remote position. I got paid 5000$. When I found a second bug which did the same thing a few months later, this dropped to 1500$...

    1. Blazde

      Re: Welcome to bug bounties

      Even further back when cyber intelligence companies first started offering bounties independent of developers.

      The problem is the bug finder has almost no power in the negotiation. You get what you're given. I think it's best viewed as a freelance apprenticeship, or something on the side if you happen to be uncovering bugs anyway in your day-job. Then the payout only needs to cover your report writing time. Unfortunately the lottery aspect of it sucks people in with big expectations, in much the same way multi-level marketing does.

      1. MonkeyMagic

        Re: Welcome to bug bounties

        Spot on. The 'researcher is at the mercy of these companies. This guy posted a good article of what life is like for the bounty hunters:

        https://www.infosecurity-magazine.com/opinions/life-crowdsourced-hacker/

    2. Valeyard

      Re: Welcome to bug bounties

      I found an SQLi (which went further with outfile which could pivot to a shell and the application was run as root for someone reason) in a piece of software that the vendor sold to multiple orgs, meaning it was vulnerable for every customer.

      I got £40, I thought being paid beer money for stuff was limited to fixing your mum's printer. but I'm loathe to try and ask for more as the industry has too many stories of a company just flat out screaming blackmail, terminating safe harbour and threaten to call the cops if you object to the pittance

      And that's not even mentioning a newbie triage guy saying "not in scope we don't own that company" for a huge vuln, the other triage guy gave me 5k for a smaller bug which got fixed on the same software go get him!

  8. don't you hate it when you lose your account Silver badge

    A man once saved my life

    The least I could do was give him the underwear I had on.

    1. Andy Non Silver badge

      Re: A man once saved my life

      Well that's just pants.

  9. Ilsa Loving

    "My fundamental complaint with Electron is that relatively basic usage still demands that non-security devs understand the full security properties of their system and scope broker usage appropriately," said Justin Schuh, engineering director for Google Chrome, via Twitter. "That's not reasonable, given it's one of the hardest tasks for security experts."

    Yes, it IS reasonable. If you are a dev, it is your effing job to understand the ramifications of the code that you write AND of the libraries you import. Saying that developers are not responsible for the security of their code is like saying engineers are not responsible for the structural integrity of the bridges they build.

    If this is a problem, then maybe you shouldn't be using the stupidest, most poorly designed programming language ever designed in the history of computer science.

    1. Richard 12 Silver badge

      Devs don't choose it

      Electrons entire existence is based on it being a framework any monkey can use.

      So managers choose it, and hire the cheapest monkeys possible.

  10. Ogi
    Facepalm

    Electron...

    "Electron is a cross-platform framework that allows developers to create desktop client code using HTML, JavaScript, and CSS that runs on Linux, macOS, and Windows, atop a Chromium-based browser foundation tied to Node.js. Known for being easy to use and hard to secure"

    And also being known to suck up RAM like nothing else. Slack on my work machine, at the time of writing this post, has sucked up just over 5GB of RAM. To need 5GB of RAM to do what is effectively a slightly glorified IRC client is mental, and just demonstrates how poor the "developers" of Slack and/or Electron are.

    Not to mention this general trend of a desktop app being a loose wrapper around a web-browser + website bundle is just dumb. The whole point of a desktop app is that it is not a web app. If I wanted web-based bloat, I would just use the app on my browser. Don't sell me on "we have a desktop app", which turns out to just be a locally run web server + browser + webapp in a horrendous bloated bundle. That is even worse than just using the web-app in the first place.

    The only silver lining, is that this level of bloat is causing my company to purchase new laptops for all of us, so we can run Slack and something actually productive at the same time (we get a bump from 8GB to 32GB of RAM).

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020