• Home
  • News
  • Business
  • Gear
  • Reviews
  • Games
  • Science
  • Security
Reading: A Slack Bug Exposed Some Users’ Hashed Passwords for 5 Years
Share
Ad image
Technology MagazineTechnology Magazine
Aa
  • News
  • Business
  • Gear
  • Reviews
  • Games
  • Science
  • Security
Search
  • Home
  • News
  • Business
  • Gear
  • Reviews
  • Games
  • Science
  • Security
Have an existing account? Sign In
Follow US
Technology Magazine > Security > A Slack Bug Exposed Some Users’ Hashed Passwords for 5 Years
Security

A Slack Bug Exposed Some Users’ Hashed Passwords for 5 Years

Press room
Press room Published August 5, 2022
Last updated: 2022/08/05 at 10:29 PM
Share
SHARE

The office communication platform Slack is known for being easy and intuitive to use. But the company said on Friday that one of its low-friction features contained a vulnerability, now fixed, that exposed cryptographically scrambled versions of some users’ passwords. 

When users created or revoked a link—known as a “Shared Invite Link”—that others could use to sign up for a given Slack workspace, the command also inadvertently transmitted the link creator’s hashed password to other members of that workspace. The flaw impacted the password of anyone who made or scrubbed a Shared Invite Link over a five-year period, between April 17, 2017, and July 17, 2022.

Slack, which is now owned by Salesforce, says a security researcher disclosed the bug to the company on July 17, 2022. The errant passwords weren’t visible anywhere in Slack, the company notes, and could have only been apprehended by someone actively monitoring relevant encrypted network traffic from Slack’s servers. Though the company says it’s unlikely that the actual content of any passwords were compromised as a result of the flaw, it notified impacted users on Thursday and forced password resets for all of them. 

Slack said the situation impacted about 0.5 percent of its users. In 2019, the company said it had more than 10 million daily active users, which would mean roughly 50,000 notifications. By now, the company may have nearly double that number of users. Some users who had passwords exposed throughout the five years may not still be Slack users today.

“We immediately took steps to implement a fix and released an update the same day the bug was discovered, on July 17th, 2022,” the company said in a statement. “Slack has informed all impacted customers and the passwords for impacted users have been reset.”

The company did not respond to questions from WIRED by press time about which hashing algorithm it used on the passwords and whether the incident has prompted broader assessments of Slack’s password-management architecture.

“It’s unfortunate that in 2022 we’re still seeing bugs that are clearly the result of failed threat modeling,” says Jake Williams, director of cyber threat intelligence at the security firm Scythe. “While applications like Slack definitely perform security testing, bugs like this that only come up in edge case functionality still get missed. And obviously, the stakes are very high when it comes to sensitive data like passwords.”

The situation underscores the challenge of designing flexible and usable web applications that are also architected to silo and limit access to high-value data like passwords. If you received a notification from Slack, change your password and make sure you have two-factor authentication turned on. You can also view the access logs for your account.

Press room August 5, 2022
Share this Article
Facebook TwitterEmail Print
What do you think?
Love0
Sad0
Happy0
Sleepy0
Angry0
Dead0
Wink0
Leave a comment

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

You Might Also Like

Security

The TikTok CEO’s Face-Off With Congress Is Doomed

5 Min Read
Security

How You Can Tell the AI Images of Trump’s Arrest Are Deepfakes

5 Min Read
Security

The Scorched-Earth Tactics of Iran’s Cyber Army

5 Min Read
Security

Online Sleuths Untangle the Mystery of the Nord Stream Sabotage

4 Min Read
  • Review
  • Top Lists
  • Contact
  • Privacy Policy
  • Terms of use

We influence 20 million users and is the number one business and technology news network on the planet.

I have read and agree to the terms & conditions

Contact US

  • Contact Us
  • DMCA
  • Editorial Policy
  • Advertise

Quick Link

  • Gear
  • Games
  • Security
  • Reviews

© 2022 Technology Magazine. All Rights Reserved.

Follow US on Socials

Removed from reading list

Undo
Welcome Back!

Sign in to your account

Lost your password?