Slack hack threatened to expose user account data and messages

News roundup: A researcher discovers a Slack hack through stolen tokens. Plus, another WordPress flaw puts 1 million users at risk; Necurs botnet does DDoS now; and more.

A security researcher found a flaw in the popular cloud messaging application Slack that allowed hackers access to users' accounts and messages.

The vulnerability in the Slack chat app, which is used in many enterprises, was discovered by Frans Rosén, a security researcher at Swedish web security firm Detectify. Rosén used the flaw to develop a proof-of-concept Slack hack to infiltrate users' accounts and messages using stolen xoxs tokens.

"I was able to create a malicious page that would reconnect your Slack WebSocket to my own WebSocket to steal your private Slack token," Rosén explained in a post that outlined the technical details of the vulnerability.

The flaw, which was quickly patched by Slack, was due, in part, to not checking the origin properties of messages. After discovering this, Rosén said he used the postMessage API and WebSocket reconnect to create a unique webpage that reconnected the user's Slack WebSocket to his own WebSocket.

"As soon as the connects to our own socket, we dump the token, which our polling will find, then use it to gather data from the auth.test endpoint in the Slack API using the xoxs-token," Rosén detailed. "We have successfully stolen the token from the user."

Rosén sent his proof-of-concept Slack hack to the company when he found the flaw on Feb. 17. He said Slack responded 33 minutes later, and it had pushed out a fix for the vulnerability about five hours after that.

Slack's statement on HackerOne said Rosén "discovered a vulnerability which would allow an attacker running a malicious site to steal XOXS tokens. We resolved the postMessage and call-popup redirect issues, and performed a thorough investigation to confirm that this had never been exploited."

Slack thanked Rosén for the find and paid him a $3,000 bug bounty. The fix for the Slack hack involved using a different technique to validate the origin properties of the messages.

In other news:

  • More than 1 million WordPress users are at risk because of a critical vulnerability in the NextGEN Gallery plug-in. The SQL injection vulnerability, found by Sucuri researcher Slavco Mihajloski, "allows an unauthenticated user to grab data from the victim's website database, including sensitive user information." WordPress users who implement NextGEN Basic TagCloud Gallery on their site, or who allow contributors to submit posts, are at risk. "This issue existed because NextGEN Gallery allowed improperly sanitized user input in a WordPress-prepared SQL query, which is basically the same as adding user input inside a raw SQL query," Mihajloski explained in a blog post. "Using this attack vector, an attacker could leak hashed passwords and WordPress secret keys in certain configurations." Mihajloski described this vulnerability as a "critical issue," and said updating WordPress immediately is the best fix.
  • A new study from Forter and the Merchant Risk Council (MRC) found that online fraud in the United States has grown significantly since the implementation of EMV cards. The overall rate of online fraud increased 8.9% from 2015 to 2016, and the Forter-MRC Global Fraud Attack Index cited EMV adoption as the reason for the increase. "This may be because the fraudster community had shifted online in advance of and directly after the U.S. adoption of EMV, knowing that card present fraud would be more difficult and that the card not present channel would be more vulnerable," the report stated. "The general increase in fraud attack rate reflects the appealing nature of the online channel to the criminal community. The growth of e-commerce and mobile commerce, the abundance of stolen data, the opportunities for obfuscation, the tools available to them, the unlikelihood of reprisals for fraud attempts and more all combine to make online attacks attractive to criminals." Another notable finding is domestic fraud was 79% riskier in 2016 than in 2015; however, international fraud attacks against the U.S. were still 62.3% riskier than domestic fraud.
  • The Necurs botnet has evolved to be able to perform distributed denial-of-service (DDoS) attacks. The Necurs botnet, estimated to be one of the largest botnets ever created, has previously been known for distributing Locky ransomware and the Dridex banking Trojan through spam emails. Now, the massive botnet has reportedly upgraded the malware it delivers to be able to launch DDoS attacks. BitSight's Anubis Labs first uncovered the botnet's new ability in September when they noticed an infected system was communicating using unusual IPs, ports and protocols. They compared a module request of a typical Necurs-infected system with the unusual model. "We downloaded the module and reverse-engineered it to try to understand exactly what it was," explained the AnubisNetworks' recent blog post on the finding. "At first look, it seemed to be a simple SOCKS/HTTP proxy module, but as we looked at the commands the bot would accept from the C2, we realized that there was an additional command, that would cause the bot to start making HTTP or UDP requests to an arbitrary target in an endless loop, in a way that could only be explained as a DDOS attack." The blog post also noted that AnubisNetworks had not seen Necurs being actively used for DDoS attacks in the wild yet.

Next Steps

Learn more about why Slack is popular in enterprises

Find out why collaboration inside a business is crucial to progress

Read about what could be next for workplace collaboration software

Dig Deeper on Application and platform security