Cybersecurity: How some users hashed passwords were exposed for five years by a Slack Bug
This news shocked many Slack users, who probably thought all was well with their hashed passwords. Slack is one of the most simple and intuitive office communication platforms. Something strange has happened for the last five years. Slack reported a bug that exposed some slack users’ passwords for five years, which is now fixed.
For instance, when users created a shared invite link to allow others to sign up for a Slack workspace, the share command also revealed the host’s hashed password to other members.
This error exposed the password of anyone who shared an invite link, leaving their Slack account vulnerable to anyone actively monitoring relevant encrypted network traffic from Slack’s servers. As the Company reviewed the issue, it realised that this issue has been occurring for over five years, between April 17, 2017, and July 17, 2022.
Slack revealed that it was unlikely that any real user content could have been compromised. However, they forced accounts affected to change their passwords. They further revealed that the situation impacted around 10 million daily active users, which resulted in about 50,000 notifications.
Since this revelation, Slack has received severe bashing from security analysts. Jake Williams, director of cyber-threat intelligence at Scythe, said, “In 2022, we're still seeing bugs that result from failed threat modelling. While applications like Slack perform security testing, bugs like this one come up in edge case functionality. The stakes are very high regarding sensitive data like passwords.
While this continues to be a cause for concern among Slack users, it also undermines the challenge of designing flexible, usable and secure web applications that can limit access to high-value data like passwords.
Slack users are advised to change their passwords, especially if they receive a notification from Slack. Ensure you have two-factor authentication turned on.