Slack Reset Users Passwords After Discovering Invite Link Vulnerability

Share post:

U.S. software company Slack Technologies said in a blog post that it had proactively reset the passwords of 0.5% of its users after discovering a vulnerability in “invite link.”

According to the company, the bug affected all users who created or revoked a shared invite link between April17, 2017 and July 17, 2022. The vulnerability transmitted hashed versions of user passwords to other workspace members.

The vulnerability was uncovered by an independent security expert and revealed to Slack on July 17 and affects more than 60,000 users.

While Slack claimed to have fixed the bug on the same day it was discovered and notified affected users that their passwords were reset 18 days later, the company was unable to take into account the 0.5% number affected by the bug.

In an e-mail to affected customers, Slack stated that the hashed password of a user who created or revoked a shared invitation link was contained in the hidden events of raw data processed by Slack’s servers via a websocket processed by a Slack client app.

Slack explained that the hashed password is not stored or displayed in any Slack client. To detect these hashes, an encrypted monitoring of network traffic is required.

“We use a technique called salting to further protect these hashes. Hashed and salted passwords are secure but not perfect — they are still subject to being reversed via brute force — which is why we’ve chosen to reset the passwords of everyone affected,” Slack wrote in the email to affected customers.

The sources for this piece include an article in CIODIVE.

SUBSCRIBE NOW

Related articles

Intel CEO Pat Gelsinger Retires Amid Record Losses and Ongoing Restructuring

Intel CEO Pat Gelsinger has announced his retirement effective December 1, marking the end of a challenging tenure...

Russian State-Backed Cyber Attack Exploits Zero-Day Vulnerabilities in Windows and Firefox

Headline: A sophisticated cyberattack leveraging two chained zero-day vulnerabilities in Mozilla Firefox and Microsoft Windows has been confirmed by...

Starbucks Forced to Pay Baristas Manually After Ransomware Attack

A ransomware attack on Blue Yonder, a third-party scheduling software provider, has disrupted Starbucks’ ability to manage employee...

Google Launches Free Cybersecurity Certificate for Entry-Level Jobs

Google has introduced a new Cybersecurity Professional Certificate, aimed at preparing students for entry-level roles in just six...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways