
Hacking Slack using postMessage and WebSocket-reconnect to steal your token - rpicard
https://labs.detectify.com/2017/02/28/hacking-slack-using-postmessage-and-websocket-reconnect-to-steal-your-precious-token
======
zaroth
One of the best vuln write-ups I've read in a while, in that it steps you
through how the initial entrypoint was found, and the steps needed to turn
that into a dangerous exploit.

I think what really makes this writeup worth the read is the insight it shows
into the thought process of identifying an interesting bug and weaponizing it.
Thanks Frans!

~~~
fransr
Thanks a lot! I had a lot of fun doing it and I really wanted to get every
step of the process out there, so that was some really nice feedback :)

------
dantiberian
The mitigation creating an a element seems a little bit awkward:

    
    
        if (!TS.utility.calls.verifyOriginUrl(evt.origin)) {
          return
        }
        ...
        verifyOriginUrl: function(originHref) {
                var a = document.createElement("a");
                a.href = originHref;
                return a.hostname == window.location.hostname
        },
    

Is there a JS API for getting the host name from an origin, or is creating DOM
elements the way to do this?

~~~
laktek
There's a URL interface [0] in Web API, but unsupported in IE 11 [1].

[0]
[https://developer.mozilla.org/en/docs/Web/API/URL](https://developer.mozilla.org/en/docs/Web/API/URL)

[1] [http://caniuse.com/#search=URL](http://caniuse.com/#search=URL)

~~~
JohnDotAwesome
Be careful with createElement('a') in IE. If the URL contains credentials
(username or username and password), it'll throw a security exception.

[https://support.microsoft.com/en-us/help/834489/internet-
exp...](https://support.microsoft.com/en-us/help/834489/internet-explorer-
does-not-support-user-names-and-passwords-in-web-site-addresses-http-or-https-
urls)

------
EnigmaticLion
Just out of curiosity, how long did it take for you to come up with this PoC?
From the initial notice that something might be exploitable until you sent the
email to slack?

Your post makes it look so easy, but it would surely take weeks for me to
figure out all these things.

~~~
fransr
It's a common pitfall and easy to look for. The stuff I spent most time with
regarding this specific issue was finding the proper event that did something
bad.

------
homakov
Exposing onmessage wasn't the best idea. Instead it should be something more
restrictive with origin check built in.

addMessageListener("[https://*.slack.com"](https://*.slack.com"),
function(data){})

------
scott_karana
Kudos to Slack for the quick fix! I've also been pleasantly surprised by their
response times for bug reports, and even feature requests.

Wonder if their support team is proportionately larger than most startups, or
if "10x Support Agents" are a thing?

