
Remote Code Execution in Slack desktop apps - tonny747
https://hackerone.com/reports/783877
======
oskarsv
I wrote that exploit & report. Just some thoughts on comments here.

Sure the bounty is low, but ultimately it's their money and their decision.
They will deal with the 'consequences' of others skipping their program and
some public shaming.

I find everyone talking about black markets etc. kind of ridiculous. Really?
You would sell something like this, so someone can be spied upon or maybe
literally chopped to pieces? Jesus, not everything is about money - it was a
fun challenge to chain it all together and I learned a lot from it.

The most outrageous part for me was the blog post I discovered by accident -
it included no references or mentions (check archive.org). Both of the code
snippets there are from my RCE reports. At the same time they were denying my
requests for disclosure.

Of course, I understand that coordination mistakes like this happen, so I
accept their apology and move on!

Evidence - original RCE video with huge CSS injection overlay:
[https://www.dropbox.com/s/11pv2ghdkw5g84b/css-rce-
overlay.mo...](https://www.dropbox.com/s/11pv2ghdkw5g84b/css-rce-
overlay.mov?dl=0)

~~~
krageon
> You would sell something like this, so someone can be spied upon or maybe
> literally chopped to pieces? Jesus, not everything is about money

If you haven't had food for a few days everything is indeed about money.
Either you reward someone properly for the work that they can do or they'll
find someone else who does. I doubt most people get fuzzy warm feelings
helping a big US corporation that's too greedy to actually pay independent
researchers properly.

Edit: That's not to say your work wasn't cool btw. It's very admirable for you
to view it the way you do.

~~~
namdnay
> If you haven't had food for a few days everything is indeed about money

I doubt anybody capable of finding an exploit like this is in that situation

~~~
devwastaken
Most software is made entirely free with no source of income. The job market
for software is terrible, and those people work entirely seperate jobs from
it. Many program on a very minimum life expenditure.

~~~
todd3834
[https://levels.fyi](https://levels.fyi) disagrees. I can confirm the offers
on there are real

~~~
vermilingua
You replied to a claim about “most software” with a site that compares big
tech companies, and only their US offices. The world is much bigger than your
bubble.

~~~
todd3834
Do you have any data the counters what I’m saying? I know people in other
countries don’t make the same salaries but they are “mostly” doing pretty well
for their region

~~~
jcelerier
> I know people in other countries don’t make the same salaries but they are
> “mostly” doing pretty well for their region

here's some job postings for software engineer in Bordeaux, France:
[https://www.indeed.fr/Bordeaux-(33)-Emplois-Ingenieur-
Inform...](https://www.indeed.fr/Bordeaux-\(33\)-Emplois-Ingenieur-
Informatique)

It's around three times less.

~~~
todd3834
How does it compare to the local economy?

------
sjy
They didn’t disclose for months, and when they did, they failed to credit the
researcher who found the bug, and started their blog post by saying “This is a
fancy way of saying we’ve dialed up the security of the app. It wasn’t unsafe
before, but it’s double safe now.” That sucks.

~~~
algesten
They can't go back in time and change how they did it, and they did explain
and apologised for not handling it correctly.

Stuff like that happen. We should only judge them if they screw up like that
again.

~~~
luckylion
Aka "first murder is on the house, the second one you pay for".

~~~
tobr
How does it make even a little sense to compare this to murder?

~~~
jcelerier
consider murder a metasyntactic variable

------
rvz
Great report on a critical RCE vulnerability in Slack. However, I will bite.

$1,750 for a detailed report on a critical RCE is like rewarding sniffer-dogs
with breadcrumbs. One could sell this exploit at least for 5 figures on the
black market.

In all cases, since Electron brings XSS to the desktop, it is a hackers
paradise.

~~~
pansa2
> since Electron brings XSS to the desktop, it is a hackers paradise.

Just curious - what makes XSS on the desktop different from other kinds of RCE
vulnerability?

~~~
slimsag
Nothing, but if Slack was a web application and not an Electron application it
would mean XSS would not immediately lead to RCE, you would need XSS and a
vulnerability in the browser to get an RCE. Electron is basically that for you
already: a vulnerable browser.

~~~
wereHamster
I refuse to use the Slack desktop app, and use Slack only through a web
browser. I trust Chrome (Google), Firefox (Mozilla), Safari (Apple) far more
than the Slack engineers.

------
gorgoiler
$1750 for that?! Security researchers need to organize!

I have no idea what I’m talking about but my guess would be that the security
economics of finding an RCE make it very valuable. The disclosure would be
worth considerably more to Slack than this bounty. Something in the order of
months’ worth of skilled labour, not hours.

I suppose the economics also mean Slack only have to outpay the bad guys, so
this is really showing us poorly compensated black hat labor is?

~~~
jcims
>$1750 for that?! Security researchers need to organize!

[https://hackerone.com/slack?type=team](https://hackerone.com/slack?type=team)

It says right on the tin what the payout is going to be. If you don't like the
terms of the program, don't participate. It's not really that difficult a
concept.

~~~
slimsag
Had the researchers (unethically) published it as a zero-day vulnerability in
e.g. a blog post stating "the slack payout wasn't enough for us to care" \-
what would've been their legal risks?

I assume that would be _one_ way to get companies to care more about rewarding
people who spend substantial amounts of time researching their security

~~~
WrtCdEvrydy
A friend of mine swears that you can be sued for 'business damages' over
improper disclosure. Sadly, the US is a non-permissive environment so I tend
to believe it.

~~~
tptacek
I think that friend of yours is almost certainly wrong, and for decades now
there have been notable researchers who disclose publicly and immediately.

------
EE84M3i
One click RCE, not zero. $1,750 still seems a little low by H1 standards, but
probably not by an order of magnitude.

Cool to see how they used the html injection gadget.

Seems like slack messed up with the blog post but made a sincere attempt to
make amends.

I've noticed slack is pretty good about allowing disclosure of H1 bugs. It's a
really hard sell in a lot of companies, so I think they should be applauded
for that.

------
kevsim
Oh man, the use of <area> and <map> here is awesome. Not enough of a security
guy to know if this is a typical approach, but it's devious.

I guess the moral of the story is try to not having place where arbitrary HTML
is injected?

~~~
missblit
Yep. HTML is a huge surface, so just blocking "interesting" tags / attributes
is fragile at best (Similar to misguided attempts to block SQL injection
through string validation instead of cutting off the root cause).

The other moral of the story is you need to be extra careful to write a secure
Electron program, since XSS is a bigger problem than it would be in a desktop
browser. Step 3 shows that the RCE could execute programs outside of the JS
environment.

------
nahbulursun
Low payout aside, it's too bad they didn't properly credit the researcher when
they disclosed the vulnerability. There's always another path to getting paid
for exploits: [https://en.m.wikipedia.org/wiki/Market_for_zero-
day_exploits](https://en.m.wikipedia.org/wiki/Market_for_zero-day_exploits).

------
0xy
So Slack offers the guy a paltry $1,750, then attempts to take credit for his
work while also screwing him out of his own disclosure.

This kind of response to security researchers just invites the next researcher
to sell the exploit instead, or to actively exploit it.

Why does Slack seem like a company that is floundering? It took them __over
two years __to release a simple feature like shared channels. It seems like
the app is frozen in time and the company is doing nothing except keeping the
lights on and waiting for Teams to obliterate them.

Slack turned from a hungry tiger startup into an exhausted lumbering
enterprise giant whose primary weapon is litigation and mudslinging (Slack
initially encouraged the Teams competition, then filed suit against Microsoft
in perhaps the biggest case of corporate sour grapes in some time).

Pay your security researchers properly, Slack.

~~~
thefreeman
> A simple feature like shared channels

You think merging two or more organizations workspaces in a sane and secure
manner after likely basing the entire app infrastructure around the idea of a
single workspace is a "simple feature"? This is a textbook example of the
classic HN comment "Why does this this company need X engineers to create Y
product. I could do it in a weekend."

~~~
0xy
Except I never claimed it could be done in a weekend, only that it shouldn't
take 1,600 employees two years to roll out a single feature while the main app
has severe problems (zero error handling during downtime).

Then there's Slack's other "features", like the rich text editor nobody liked
or wanted and that they initially refused to change.

Look at Teams' trajectory in the same timeframe.

Slack video calling is still bad. It's been years.

------
dowakin
Conclusion: if you have choice between Electron vs Web app, Use Web app. It's
safer and battle tested for years. Electron apps will have their IE6, Flash
and Java situations.

------
lordnacho
Under $2K seems very cheap for what what discovered. Did it take less than two
days to do this exploit?

Perhaps the model should be an immediate price like the one that was offered,
but also the ability to ask for more, confidentially. For instance you might
feel this thing is worth more like $10k, and you could show the screengrab.
Then the firm can decide whether to just pay up or haggle. And of course you
still have Hacker One to arbitrate that the vuln is actually what was touted.

Nothing's perfect, of course there are holes in this idea as well.

------
keymone
Damn. The next vulnerability will go for sale in dark hat circles for sure.
Good job slackers.

~~~
kamyarg
Unless Slack does the right thing and pays this researcher properly. It is
never too late until it is.

------
ricardobeat
> it is still possible to inject area and map tags

This is the critical oversight - what would be the reason to not use a
whitelist instead, or even custom tags instead of plain HTML? Most of the
existing libraries for sanitizing html work like that.

------
29athrowaway
Apparently Slack has changed their bounty program payment structure, and for
RCE issues they're now paying $5000 and up.

[https://hackerone.com/slack](https://hackerone.com/slack)

------
touchpadder
that's why I stick to the web client

~~~
SXX
This. It's just insane to use all these Electron-based apps giving them access
to all your data.

------
Angeo34
An electron app with an rce? Wow this is so unexpected never thought this
would happen.

------
GEBBL
What an excellent write up.

I hope Slack review the payment and give you a bit more.

------
TheUndead96
It is my belief that most people would not use Slack if it did not have the
business buy-in it now has. Most people are forced to use Slack.

~~~
dheera
Curious what the hate for Slack is. I use a 1-person Slack workspace for
personal note-taking and memory extension, and I find it is also a super
useful tool to manage ideas, photos, shared files in romantic relationships.

For either use case the ability to write bots for it, and the fact that it
syncs across devices with multiple simultaneous logins is awesome.

~~~
hacker_newz
How do you use a 1-person Slack workspace for shared files in relationships?

~~~
dheera
I have a 1-person workspace for personal note-taking and also a 2-person
workspace for shared files/links/photos/etc. in a relationship.

I also find the 1-person workspace to sadly be the easiest way to transfer
files between my computers and phones. Like for example when I need to take a
PDF with me to the airport or elsewhere, I just drag the PDF into my 1-person
Slack workspace and head out the door. Every other method I've tried involves
more steps. The mobile clients of Dropbox and Google Drive make it
unreasonably hard to actually download files.

------
er0k
so... where did the article go?

------
higerordermap
They seem to be a company of bastard suits.

Their desktop client is an abomination. Worst even among electron app. IIRC
once it was spanning a process per identity. Because some manager decided to
hire bootcamp webshits. It is possible to do much more decent apps with even
electron.

And when an article about electron was posted, a person from Slack,
'javascript hacker at slack' in his bio, jumped to defend it without even
putting a disclaimer.

Now they are treating a security researcher badly with this low bounties. This
guy has good intentions and didn't want to sell it. But even if 10% of people
sell it or use on behalf of nation state actors, imagine the dammage.

Pretty sure it is some shitty MBAs who don't even know about technology being
there.

It is not welcome to be undeplomatic on HN, I know. But let me say this out.
Fucking non technical people should not be allowed to decide on technical
matters. But those shitheads generally have political abilities. That's what
happened when Larry Page tried to oust those suits out of Google engineering
divisions.

