Quote:A critical vulnerability in the popular Slack collaboration app would allow remote code-execution (RCE). Attackers could gain full remote control over the Slack desktop app with a successful exploit — and thus access to private channels, conversations, passwords, tokens and keys, and various functions. They could also potentially burrow further into an internal network, depending on the Slack configuration, according to a security report.
The bug (rated between nine and 10 on the CvSS vulnerability-severity scale), was disclosed on Friday, and involves cross-site scripting (XSS) and HTML injection. Slack for Desktop (Mac/Windows/Linux) prior to version 4.4 are vulnerable.
“With any in-app redirect-logic/open redirect, HTML or JavaScript injection, it’s possible to execute arbitrary code within Slack desktop apps,” wrote a bug-hunter going by the handle “oskarsv,” who submitted a report on the bug to Slack via the HackerOne platform (earning $1,500). “This report demonstrates a specifically crafted exploit consisting of an HTML injection, security control bypass and a RCE JavaScript payload.”
According to the disclosed technical writeup, attackers could trigger an exploit by overwriting Slack desktop app “env” functions to create a tunnel via BrowserWindow; to then execute arbitrary JavaScript, in what is “a weird XSS case,” he said.
Read more: https://threatpost.com/critical-slack-bu...ns/158795/
![[-]](https://www.geeks.fyi/images/collapse.png)
