I wrote that exploit & report. Just some thoughts on comments here.
Sure the bounty is low, but ultimately it's their money and their decision. They will deal with the 'consequences' of others skipping their program and some public shaming.
I find everyone talking about black markets etc. kind of ridiculous. Really? You would sell something like this, so someone can be spied upon or maybe literally chopped to pieces? Jesus, not everything is about money - it was a fun challenge to chain it all together and I learned a lot from it.
The most outrageous part for me was the blog post I discovered by accident - it included no references or mentions (check archive.org). Both of the code snippets there are from my RCE reports. At the same time they were denying my requests for disclosure.
Of course, I understand that coordination mistakes like this happen, so I accept their apology and move on!
> You would sell something like this, so someone can be spied upon or maybe literally chopped to pieces? Jesus, not everything is about money
If you haven't had food for a few days everything is indeed about money. Either you reward someone properly for the work that they can do or they'll find someone else who does. I doubt most people get fuzzy warm feelings helping a big US corporation that's too greedy to actually pay independent researchers properly.
Edit: That's not to say your work wasn't cool btw. It's very admirable for you to view it the way you do.
Technically true, but kind of ridiculous. How many people can't get food, but have a computer, electricity, internet connection, a reasonably quiet place to work, deep knowledge of web technology, and enough free time and mental energy to try to build exploits of computer software against an uncertain and distant bug bounty payout? If you're really desperate for food, you should be looking for a salaried position or something more immediate and certain.
More importantly, human history shows that ethics really are important. If you ignore ethics in the name of people starving, you build a society where even more people suffer and starve. If you want to build a society where everybody is safe and healthy, you need to pay attention to ethics now, not "someday".
Dude, if somebody out there somewhere is seriously doing that, they really need some education in effective careers to pursue. That's a lot more likely to improve their lives than complaints about the social effects of the size of bug bounty payouts.
Speaking of privilege, how much privilege is there in believing that ethics aren't important, because you don't know what it's like to live in a place that never even pretended to care about it, and get robbed on a routine basis, because a bunch of other people around you don't care about ethics either, and would rather form a gang and smash anybody who has something they want than work to build a marketable skill?
That is the world you build when you advocate for people not paying attention to the harms of releasing exploits into the wild, because it might pay better than doing the right thing.
I'm sure you didn't mean to but telling people who are doing the best they can with the tools that they have that they "really need some education" comes across as incredibly condescending. It's been my experience that you will have a hard time convincing other people if you tell them things that way.
I've met plenty of self-taught hackers in developing countries who were barely employed due to general economic dysfunction. Spend a month or two in Venezuela and you'll find plenty of qualified folks who have no steady job and are scraping by, how do you think people get into crime to begin with?
>> how do you think people get into crime to begin with?
lack of opportunity, lack of skills and lack of work ethic. As in it's easy to do, no barrier to entry and always availble.
Most crimes don't actually pay very well and have poor return if you've got any sort of marketable skills. Armed robbery of a bank will get you on average $1200 and 15-20 years.
You seem to be arguing against a straw man. Nobody said software engineering is free money, I said that a software engineer with the knowledge, skills and tools necessary to find an exploit like this is definitely not starving. In pretty much every country in the world, someone with those skills will be better off than 90% of the population
So many comments to this saying it's possible to be broke as a software developer. No one is arguing that. There are tons of people in every career path that don't make much due to a variety of reasons.
But pretending software development isn't a well paying career path, in general, is a statistically incorrect statement
I'm very capable of finding exploits in what can only be described as terrible living conditions and I've done so while being categorically incapable of finding food anywhere. That's not the environment I live in today (and I'm happy about it), but it really doesn't require a nice warm home with a stable internet connection to find some glaring holes in an application.
Most software is made entirely free with no source of income. The job market for software is terrible, and those people work entirely seperate jobs from it. Many program on a very minimum life expenditure.
Does that mean they automatically work for almost nothing? This is so different from what I’ve observed. I would love to see where people are getting this opinion from.
You replied to a claim about “most software” with a site that compares big tech companies, and only their US offices. The world is much bigger than your bubble.
Do you have any data the counters what I’m saying? I know people in other countries don’t make the same salaries but they are “mostly” doing pretty well for their region
I gave some proof and I’m speaking from experience. I grant that my perspective my be biased so if there is any data to the contrary then I would love to be enlightened. My goal isn’t to point out if someone is wrong for the sake of it, I hope to teach, learn or both. This was such a shocking revelation to me that I was hoping for some data.
They can be when they try to live off of bug bounties alone.
There are a lot of young folks that try to make this their full time job after some success, then get into a dry spell. The panic robs them of the lateral thinking that brought them to the dance to begin with, and they get into spirals of ravenously hunting simple bugs that end up as dupes and out of scope.
> They can be when they try to live off of bug bounties alone.
I think that's the problem. You shouldn't be entirely dependent on bounty money, because sooner or later you will find a bug that is worth 10x or 1000x on the black market.
I have seen white hat bounty hunters go rouge in such situations and entirely blame it on the cheap ass companies that won't offer the "right" amount.
Nobody owns you anything, you are doing this mostly for fun. The bounty is just a bonus.
> Nobody owns you anything, you are doing this mostly for fun. The bounty is just a bonus.
That's missing a key point of the bounty system. Slack and its users are better off that this bug was 1: discovered and 2: responsibly reported. The bounty increases the number of eyes looking, but also incentivizes folks to look into weird crashes or fight through the drudgery of triaging odd behavior.
The bug value also shows how much Slack here values their security, and makes me wary of them if I was in the place to be a customer of theirs.
> The bug value also shows how much Slack here values their security, and makes me wary of them if I was in the place to be a customer of theirs.
Most directly it shows how they value a bug bounty program. There are companies that spend hundreds of millions of dollars per year and have thousands of people in their infosec program that don’t have bug bounty programs.
You can extrapolate that to how they value security but that’s not necessarily directly correlated.
>There are companies that spend hundreds of millions of dollars per year and have thousands of people in their infosec program that don’t have bug bounty programs.
If you haven't had food in a few days, there are many better ways to get food on the table than trying to find exploitable vulnerabilities and sell them for tens of thousands of dollars, including
- Get a conventional job (possibly in software, possibly not), which pays you on a schedule.
I get the argument you're making about money, but I'm having trouble believing that going after bug bounties ever makes sense to someone in that situation, given how non-deterministic it is to find a bug.
Also (as this bug shows), it typically takes a long time between reporting a bug and having the responding team decide that it merits a bounty. In this case it took a month. (And then there's logistics about actually getting you the money at that point.) Are people who haven't eaten for a few days really going to be happy not eating for another month, even if they get a hundred thousand dollars then?
Are you seriously telling people who are starving to "get a [conventional or not] job"? I'm struggling to understand your point of view, this is almost a caricature.
I'm fairly certain that everyone in the vicinity of a bug bounty program is aware that interest in a program can be dialed up by simply adjusting award amounts. If you look here, Slack just recently increased theirs:
> I find everyone talking about black markets etc. kind of ridiculous. Really? You would sell something like this, so someone can be spied upon or maybe literally chopped to pieces?
I work with some security engineers who in previous jobs used to write exploits for the highest bidder. Their stuff ended up being used for exactly this. One of them even told me quite proudly, you know that exploit that was in the news, that was mine.
The lack of any ethical framework other than "I want to make as much money as possible" viscerally disgusts me. And there is far too much of this in our industry, it's rife with this sort of ingrained dollar-chasing selfishness with not a care of the consequences.
Good on you for taking a positive ethical stand against this. It's very refreshing to hear.
I really hope they amend the bounty paid to actually compensate you for the find.
As a slack user, seeing them pay < $2K for RCE report does not make me feel safe. Next person finding something similar might be looking into this and saying "$3K? no thank you, I take the risk of getting caught but being paid fairly."
To be clear I am not advocating for this, but it makes me concerned as a user "some people" will be more likely to do it.
The point is: you don't really need black market or doing anything illegal to being paid fairly for such research. There are plenty of absolutely legal security companies that will pay you 10x for exploit like that and then just gonna sell it to highest bidder (read: all kind of government entities).
And yeah those companies in term work for 3-letter agencies and foreign governments. Of course many would consider selling to them unethical, but that would be absolutely legal.
Another likely outcome is that folks aren't going to look at all, or only at a surface level. This leaves low hanging bugs for those with malicious intent to find easily.
Sure, absolutely they exist. But in my opinion they are the absolute minority. I've been in security for long enough to know that most people are good, otherwise we'd have major problems every day.
99% of people saying something about black markets or govt agencies have never really faced this decision or thought about it for more than 5 minutes. So it was a question - have you REALLY thought about it?
I'd hypothesize that people are more willing to entertain the profiteering fantasy when they aren't realistically facing the consequences. Also, that people are more willing to be jerks under cloak of anonymity. As you note, perhaps only 1% of people with the drive to find these sploits are going to do something bad with them. That means the extra volume is folks who wish they had such a product to sell on the black market are just jealous wannabes. You can ignore them.
I haven't done any security research for decade, but it was my hobby long ago. While it's not true in every case sometimes finding worthy bug and then successfully exploiting it can literally take weeks of work. Like 14 hours a day work with break for sleep in attempt to solve some puzzle. Usually without any payoff.
This is profession where your actual skills mean very little until you do something exceptional to have portfolio or become famous some other way. It's very easy to talk about ethics for people who live in western countries and have easy access to well-paid jobs, but a lot of people didn't have such options.
I don't try to justify actual criminals here, but don't be surprised when people sell 0-days to some Israeli companies or NSA-contractors.
Then I can just state huge respect to your moral standards and hope you getting paid well enough to continue doing what you do.
There still are a lot of people who are not gonna be okay with said situation for long. Anyone can get more cynical and cruel / indifferent with age due to bad experiences: not getting paid well for reported issues, being cheated or getting into legal trouble for "doing the right thing". Some of us really love security research and want to make it their profession, but it's really easy to end up both without stable income or in some kind of trouble.
So I think it's important to raise awareness about it in developer community since many people don't understand how much effort is going into being white hat. It's just like the story with OpenSSL before Heartbleed: half of the world used software, but there wasn't even enough funding to pay properly even for single developer.
Read your report and the way you handled things both on technical and human perspective was perfect. Sorry that they made it so difficult to disclose. We are hiring if you ever need a job! https://serpapi.com/team
I'm so sorry this happened, the CSO reached out and acknowledged the issue which was.. The minimum, but I'd be doing an internal RCA at Slack for how that post made it public without any acknowledgement.
Just sucks - marketing, legal, the engineer and peers who reviewed it, security..
The app has been updated multiple times since, but you can debug Slack and other Electron apps to see the context they are running with. Electron apps merge desktop functionality with web and sometimes it's possible to find abusable functions - e.g. filesystem, leaking dangerous Electron objects etc.
In this case it was possible to abuse lack of context isolation to overwrite functionality (first part of the JS exploit). This changed function behaviour to return (leak) a BrowserWindow class (https://www.electronjs.org/docs/api/browser-window) when calling window.open(). A BrowserWindow class allows to instantiate a new window with your own security settings :)
your response wrt black markets strikes me as incredibly naive knowing all the crime, murder, gross negligence causing death and corruption there is and has been literally everywhere on the planet, since forever, for money
Unfortunately, we live in a world governed by money as a motivator. While you might not be in it for the money, many people are, to a certain degree (you know, to make a living and to be able to afford a decent life). If companies are unwilling to pay anything remotely close to what researchers' time is worth, then they shouldn't wonder when people prefer to sell the exploits that they find to those who do value their work appropriately.
And frankly, we shouldn't be giving companies a pass for being cheap because "reporting it responsibly" is the right thing to do. These companies are benefiting to a great degree by offloading vital security research onto unaffiliated and unknown third-parties. Your time, as well as the time of any other hacker or researcher, is valuable and needs to be compensated. I don't see why it's fair to any of us that we should have to work for free or for low pay-outs just because we might be doing the right thing. Same goes for any other career that is badly paid just because "they're helping people".
I agree with you. It's super low, but I and others will just ignore it in the future and ultimately they lose.
However, bug bounties are not a job. Nobody is forced or obligated to do anything. I'm giving them 'a pass' in the future :) It's great people are discussing this and surely it will improve things for future researchers.
I consider bug bounties like competitions. The 'prize money' is defined beforehand. You don't have to compete if you don't want it. You can also compete for the 'notoriety'. Knowing the stakes, do you complain after getting 'first place'?
Everything you own or do is only worth as much as someone is willing to pay for it, everything else is just speculation.
In my country there is a sort of obligation to get 10% of value in case you find something valuable but is more applied to found money. Many times people just return what they have found without taking any reward. This could be extrapolated to bug bounties as well. How much would Slack or its clients potentially loose, if this bug was exploited? I think that everybody could agree on some sum, lets say 200k USD. In that case 20k should be paid.
Another approach is to take invoice for last security audit and simply pay the whole amount of that invoice to the researcher. If none was ever done (good God!), just some usual quote for pen testing the targeted application could be applied.
HackerOne could also enforce minimum payouts per exploit category.
What you do, though, is objectively more valuable to Slack than you were paid. They have reframed security as the competition you mention, but the stakes are much higher and they're sidestepping with this issue of "responsible reporting".
> What you do, though, is objectively more valuable to Slack than you were paid.
This is a meaningless statement.
Obviously all work is more valuable to the company than what they pay you to do the work... otherwise they wouldn't pay you would they? Because they'd get nothing out of it.
If your work generates £5 for a company, then why would they pay you £5 or £6 for it? What's in it for them?
Payments from a company are subjective not objective. There is a single purchaser, in this case Slack, and the researcher already said that he wouldn't engage in unethical behaviour to make more money. Just sell the vulnerability to Slack, and be done with it.
Business owners of failing businesses, when they go to sell, many times think, "I've put in a million hours for this, so I need a million dollars." But, that will never happen.
> However, bug bounties are not a job. Nobody is forced or obligated to do anything. I'm giving them 'a pass' in the future :) It's great people are discussing this and surely it will improve things for future researchers.
Shouldn't people like you be able to do this for a living if you want to? It's valuable work. It has real market value. It seems like you're doing this for fun and genuine interest and I do admire that. Maybe you don't want to taint your motivation with the idea of "how much money can I get for this?" I get that too. But as an outsider, I see this low pay-out and I see exploitation under the guise of "doing the right thing". I genuinely want you to be paid more. You deserve it.
I feel like the only way this kind of thing will change is if people are more vocal about how inappropriate the low compensation is for a company like Slack. Public criticism is necessary and, unfortunately, the only tool we have nowadays to effect change. I understand if this isn't a hill you want to die on, but I hope that other people (particularly people who aren't in bug hunting) are willing to pressure Slack to reconsider its policies.
The problem with "others will ignore it in the future and ultimately they lose" is that it's a passive signal that is too easily overlooked and ignored. It never reaches anybody with any kind of influence who can make changes. If a big exploit happens and somebody does a root cause analysis, it's never going to lead to the conclusion that "well, it's because we haven't been paying enough in our bug bounty program, we need to change that", if only because there's no data about how many people passed on helping them out because of the low payouts.
Yes they should and I think I could. This exploit was more of a fun challenge.
I support and agree to everything you are saying. I love the community response. I too loathe the bug bounty asymmetry in power between corporations and reporters, but it exists.. by design. How do you imagine a researcher can 'demand' more money in this situation? They can choose the amounts arbitrarily and there is nothing legal or ethical you can do about it.
I haven't seen any proposals for real solutions - how would you ask this? How do you decide the amount for each company? Solutions, which do not bypass ethics or laws. I hope that 'the market' will solve this eventually and I think I at least raised awareness.
Context matters. In this case it was a challenge because of previous research and I would've done it just for fun and the experience. I'm lucky I can afford to do that. Doesn't mean I don't value compensation.
In other cases maybe yes, maybe no - for some nonprofit, maybe someone needs help? are they a business and can they afford to compensate this kind of work? maybe it is some prominent product? there is no simple answer
There are western vulnerability brokers that sell advance warning of exploits to clients like large corporations and governments so they can protect themselves, then presumably handle notifying the company in question so the bug can get fixed. Of course, one problem is that their clients are free to abuse the exploits, and another problem is there's no guarantee they'll make sure the exploits get fixed... but that's certainly an option for you if you aren't comfortable using HackerOne.
Another option is to just disclose it to the public a set number of days after notifying them, like Project Zero.
I think the key thing is that there's a wide range in the amount of effort someone will put into looking for bugs/exploits, guided by a number of factors, like how fun the bug is to work on, the monetary reward, and any prestige from being the one to find it.
If an obvious vuln appears, obviously report it. But, these reports require a lot of work. It'd also be perfectly ok if the researcher reported whatever obscure behaviour they found initially, and went to go look at other targets with better bounties, played with their dog, etc.
This might be unpopular, but if you don't feel like the compensation adequately reflects your effort, then you're free to do whatever you think is fair. It's your work. Slack isn't entitled to that work. Ideally, you'd check beforehand what a bug bounty program usually pays out and then decide whether to work on some other company's product that pays better. But you're always going to have people who are interested in doing this stuff and you're always going to have people who will look for the best pay-out for the work they've done.
The problem with starting with the baseline of "the right thing to do is always to disclose the vulnerability to Slack regardless of how little they pay" is that it perpetuates the exploitation of legitimate and important work by skilled workers. The onus should be on Slack to provide fair compensation, not on people doing this important work to "do it out of the good of their hearts".
Sure, but that isn’t the user’s fault, and they’re the ones who are going to get attacked. I don’t disagree with your other points but I don’t think selling an exploit on the black market is the right solution.
Perhaps the best compromise, as I think about it, is to just make the exploit public with no prior warning to the vendor. That’s not great for users either, but at least they’re informed, and the vendor will be left scrambling. But in that case, the researcher gets paid nothing at all.
> Sure, but that isn’t the user’s fault, and they’re the ones who are going to get attacked.
This is true, but the responsibility to protect these users is ultimately on Slack, not the researcher. If Slack's bounties are nowhere near competitive with black market prices, they are failing to protect their users and should be called out on it.
If someone spends 100 hours coming up with, say a clickjacking vuln, it does not magically make it worth $5000. If someone spends 6 minutes coming up with zero-click sandbox bypass in chrome, its not just worth $5.
Severity matters not time, especially in a bug bounty. If you want the stability (and assurance) of actually getting paid reasonsbly and consistently for this you should get a job as a pentester.
That's kind bad - first of all 50$ can be really low depending on the region, but more importantly this disregards the time spend on looking for exploits that don't pan out.
So I would multiply that 50$ by at least 4.
But still like the other said bugs should pay by severity not by time spent.
> I find everyone talking about black markets etc. kind of ridiculous. Really? You would sell something like this, so someone can be spied upon or maybe literally chopped to pieces? Jesus, not everything is about money - it was a fun challenge to chain it all together and I learned a lot from it.
Slack is directly taking advantage of that being the only alternative. You can do whatever you want with the money. However, having a robust bug bounty program ensures a wide range of people are both willing and able to look for and report vulnerabilities. This needs to be a requirement for any large successful company handling a large amount of user data. Slack can definitely afford it, and this can be used against them the next time they report a breach.
They didn’t disclose for months, and when they did, they failed to credit the researcher who found the bug, and started their blog post by saying “This is a fancy way of saying we’ve dialed up the security of the app. It wasn’t unsafe before, but it’s double safe now.” That sucks.
Everyone's talking about low payout, but honestly the timeline seems much more annoying to me and harder to justify (was the fix for this really that hard?)
It's a hyperbolic cheeky way of pointing out that they're getting off the hook for their first gross transgression. The GP isn't in any way suggesting mishandling this security issue was equivalent to murder.
They're pointing out that if the transgression were more severe, we'd easily see right through the hole in the reasoning.
You can’t just substitute different transgressions and use the same reasoning. There are plenty of crimes where it’s reasonable to be more lenient to a first-time offender, but murder is not one of them.
There are no crimes where it is reasonable to be lenient to a first-time offender. It's a matter of intent: Lenience is given to accidents (usually still only the first occurrence), which may or may not have caused a crime.
What they did was to silence a security researcher, produce marketing material with falsehoods, and as a result ultimately damage their customers by allowing a security vulnerability to remain present, and not raise alarms afterwards that customers need to ensure that they were not exploited. They actively decided that harming their customers was okay if it allowed them to avoid attention.
This is not an accident, but an intentionally committed crime. No lenience is warranted.
Technically there are plenty of crimes where it is not only reasonable but morally obligatory to be lenient to a first-time offender. Like copyright infringement or sodomy. But in those cases it's also obligatory to be lenient to a second-/third-/etc-time offender, because the law criminalizing them is unjust. Similarly, I strongly suspect that the law unjustly fails to criminalize Slack's negligent disregard for their users security in this case.
I agree that, crime or not, it was intentionally committed, and does not warrant lenience, though.
The comparison to murder seems apt when we're looking at this in terms of intent rather than severity. The original response stated that we should forgive slack because "things like this happen", playing off the incident like an accident, when this was clearly not the case.
There's a difference in kind between leniency and suspending all judgement. The GP was explicitly in favour of suspending all judgement.
They didn't accidentally spin this so hard into a cover-up. Sure, if they showed a repeated pattern of such behavior, they should see greater consequences, but they still deserve to get called out hard on their first cover-up.
Great report on a critical RCE vulnerability in Slack. However, I will bite.
$1,750 for a detailed report on a critical RCE is like rewarding sniffer-dogs with breadcrumbs. One could sell this exploit at least for 5 figures on the black market.
In all cases, since Electron brings XSS to the desktop, it is a hackers paradise.
I realise it’s a medium on that scale and I cannot argue otherwise.
But I think how private that data is to the end user should also be taken into account. It’s a medium for technical risk (relative to server remote exec), but it should be seen as a high priority for the company and rewarded as such.
If an end user were to ask that company “why did you leak all my private data” their response would be “your data is worth less than $250 in human labour and is seen as a medium security risk”?
This is true, but this attack could work in an Iframe in the background without that click. An attacker could buy a popular blog on the note taking app, and run the Iframe in the background collecting data for years. The bug was at least 5 years old.
Sure, some of it is open to interpretation, but I disagree with it not being taken seriously. This is the basis for CVEs, most bounty tables, and most audit reports (that I've seen).
I'm a practitioner, I've managed bug bounties for several companies, and spent 15 of the last 20 years doing assessment work almost exclusively, and nobody takes CVSS seriously. It doesn't say anything to point out that some people structure "bounty tables" based on CVSS, because, as I said, it's a ouija board; the actual rules for what bugs are worth are still ad hoc, they're just used to determine the CVSS instead of the price directly. And that's not a super common practice!
CVSS scores are put into audit reports --- at the ouiji levels clients want --- to shut up the suits in compliance.
CVSS being used as a basis for bounty payments is certainly evidence that it is taken seriously. Of course there are details that have to be factored in after that calculation, since CVSS is simplified for general usage.
I'm not aware of any programs on HackerOne that don't follow this practice, so it's not "super uncommon".
I do not have the market rates for vulnerabilities, but I do know some pen testing companies charge $10,000 for a few days of work that may not return any concrete bugs.
Compared with hiring a pen testing team, offering high bounties seems like a bargain as you get actual exploits that would impact the company.
Yes, that is the premise behind bug bounties. If you're a vulnerability researcher with a track record, you will probably make better money and certainly more consistent money as a pentester. Many pentesters just do both.
XSS? Outside of a social network, where it can propagate itself? For a non-FAANG-scale company? Probably between $250 and $500, if it's a clean and effective XSS. Less if you have to interact with an obscure feature of the application.
Thanks for the reply, I would have guessed maybe 10 x more.
Interesting to hear,
Makes me think that there is not any big marked for exploits targeting smaller companies. Maybe such exploits (for smaller products) would be useful primarily for spear phishing? and not bring in so much money if sold, & hard to find a buyer?
Still, if the note taking app was sth well known like Ev*rnote, I wish they'd pay more. (No idea if it was.)
Damn, didn't know $1750 was low. I got something similar for reporting an exploit to Microsoft, where opening an attached ICS/calendar entry in Outlooks web client allowed me to execute arbitrary JavaScript on outlook.microsoft.com as the current user. Should have asked for more!
I wouldn't beat yourself up over it. There's probably room to develop an exploit valuation model that better helps to translate (time spent on research) + (X% of business/customer impact), where X is a pretty low figure, otherwise companies would never stay in business.
Don't undervalue the intangible permanence of doing the right thing, character outlasts cash come the grave.
Part of this is Electron's environment and arguably fault.
Electron used to default to insecure. You were basically running a web browser except with full access your entire machine file system/camera/mic/network etc. If you are an inexperienced developer it wasn't obvious that live linking to any 3rd party code could be an issue. Electron kind of fixed that. They warn you now and default to more secure. How many devs are capable of keeping it secure is up for debate.
As a related issue, it used to be (maybe still is) that by default, links you click in Electron open in Electron. So you make any app that accepts user data and links and suddenly people are browsing the entire net in an un-secured browser.
And worse, they break stuff. I made an electron app and explicitly made it so all links open in the user's browser. I updated to a new version and then to my horror found whatever I had done to make sure links opened in an external browser stopped opening links in an external browser.
Native apps can have exploits but most native apps aren't designed to be an environment for running arbitrary code. They're only an app for working on data.
Note, I love Electron, I've used it for several projects and it's great. But I'm also afraid of it and wish OSes were themselves more sandboxed so I didn't have to worry about it.
Nothing, but if Slack was a web application and not an Electron application it would mean XSS would not immediately lead to RCE, you would need XSS and a vulnerability in the browser to get an RCE. Electron is basically that for you already: a vulnerable browser.
I refuse to use the Slack desktop app, and use Slack only through a web browser. I trust Chrome (Google), Firefox (Mozilla), Safari (Apple) far more than the Slack engineers.
XSS isn't ordinarily RCE, and XSS is generally much more common than the attacks that do reliably give RCE. It's notable that un-hardened Electron elevates XSS to RCE, because it means there are a lot more opportunities for RCE. That's the subtext of the comment you're replying to.
Yes it is? XSS lets you execute javascript code remotely; that's literally a subset of RCE. Are you talking about virtual machine escapes (running native machine code)?
"Remote Code Execution" means the attacker can Execute Code Remotely, right? I guess you could classify the virtual machine as a (virtually) separate machine from the physical one, so that it's not a RCE on the machine you actually want to attack, but it's clearly executing code on some machine that the remote attacker isn't supposed to be able to execute code on.
This is simply not true in a plurality of cases (eg, it implies that applications running under qemu are incapable of having RCE vulnerabilities) and frankly sounds like a distinction that was made up to avoid admitting that script tags are RCE bugs in web browsers.
When running a security bounty, what makes me afraid is the compounding factor of finding the same kind of issue several times in different places, thereby multiplying the cost by 20. Of course $1750 is cheap, but I’d happily donate more if there is there were no risk of paying repeat bounties, given a week between them to fix each category of security failure I learn about.
By the way, the security bounty should be mandatory to display to customers. It’s like saying “We don’t value the sum of all your data of all customers to more than $1750”.
but I’d happily donate more if there is there were no risk of paying repeat bounties, given a week between them to fix each category of security failure I learn about.
A better solution would be to only allow a bug to be reported once per quarter, or once per version of the software. If someone finds a bug in v1.0 that's fixed in v1.1, then someone (even the same person) should be able to report the same bug in a different place in v1.1. That's an incentive for companies to use the report to secure the whole app rather than just fixing the reported issue.
It is typical that only the first reporter gets a bounty; duplicate reports are usually given "duplicate" status.
But you might have the same vulnerability found in several different places. Reports should really only be considered duplicates if the fix to one automatically fixes the other also. Your bug found in multiple locations might happen to be set up that way -- or it might not.
This exact problem occurs frequently when a company with a bounty program makes an acquisition and brings the new software into scope for the program. The acquired code is often full of relatively easy-to-find, high-impact bugs. What I've seen people do in this case is open the scope, accept a certain number of reports, and then suspend eligibility for that software for a certain period of time.
This would look like "we've had a lot of similar bugs filed against company-we-acquired.com, and we're taking that domain out of scope for X weeks while we work on it."
What you see on that website is the cost, not the earnings though. If a private exploit costs $1.2k, you can get 5 digits by selling it 9 times. That isn't a huge number of sales, but I don't know if this exploit would sell that many times. Anyway, by disclosing on H1 you're "selling" at most once.
Zerodium won't buy a Slack exploit. I'm not debating whether there is a black market for exploits; there is. It just doesn't buy most of the things HN commenters think it does.
$1750 for that?! Security researchers need to organize!
I have no idea what I’m talking about but my guess would be that the security economics of finding an RCE make it very valuable. The disclosure would be worth considerably more to Slack than this bounty. Something in the order of months’ worth of skilled labour, not hours.
I suppose the economics also mean Slack only have to outpay the bad guys, so this is really showing us poorly compensated black hat labor is?
How would you even monetize that? This requires an existing employee access to be able to post a message to the company slack and hope other employees click it.
The vulnerability could do great to pown a company as long as you already have a compromised user account in the company. That's not a wormable RCE, that's not zero click (I'm not saying it's not bad).
Is there a market for high touch highly targeted attacks, maybe, if you can enter in business with the NSA or a ransomware group, those few who can monetize this sort of things. Good luck.
A lot of companies give external folks access to their Slack to communicate. Plus there are a lot of communities that use Slack among pseudo-anonymous users. For example Reddit employees including the CEO use Slack with several hundred community moderators. An RCE on their computers would be a huge deal.
It says right on the tin what the payout is going to be. If you don't like the terms of the program, don't participate. It's not really that difficult a concept.
Had the researchers (unethically) published it as a zero-day vulnerability in e.g. a blog post stating "the slack payout wasn't enough for us to care" - what would've been their legal risks?
I assume that would be _one_ way to get companies to care more about rewarding people who spend substantial amounts of time researching their security
Finding and disclosing vulnerabilities predates bug bounties by a long stretch. Bug bounties are simply an incentive for people to follow a scope and disclosure policy through a legal safe harbor and small financial incentive, but they aren't always effective at that. Folks that operate outside of the bounty program don't have that safe harbor and are likely exposed to the full force of whatever domestic 'hacking' laws exist on the books. In the US this has resulted in jail time and fines.
If someone doesn't like the terms of a particular bug bounty program, I would ask why they are doing research against that company to begin with. That's like someone really wanting kids dating a person that doesn't want kids and hoping they will change their mind after they see how awesome it will be. Almost without exception, if you read the comments from the individuals reporting the bugs, they will actually defend the status quo (as is the case here if you dig around). It's mostly just loud people in the vicinity of this trying to drive up the market.
Of course in my example I could try to incentivize said partner to have children by all sorts of unethical means, and there are certainly ways for researchers to try to incentivize corporations to increase bounty scope or payout by unethical means. This is generally considered 'extortion'.
Lastly I think it's also important to point out that legality has nothing to do with ethics, and I certainly believe there are cases where disclosure is warranted outside of any established paradigm of 'responsible disclosure' or bounty program.
A friend of mine swears that you can be sued for 'business damages' over improper disclosure. Sadly, the US is a non-permissive environment so I tend to believe it.
I mean I certainly aren’t smart enough to complete a bounty half as big a deal as this, and I could certainly use a month’s rent in cash.
My point was about the wider security economy. It feels like Slack are low balling for work which they have a moral duty (er, moral in the sense that spectres haunt Europe) to pay something more like a living / minimum wage for hackers.
One click RCE, not zero. $1,750 still seems a little low by H1 standards, but probably not by an order of magnitude.
Cool to see how they used the html injection gadget.
Seems like slack messed up with the blog post but made a sincere attempt to make amends.
I've noticed slack is pretty good about allowing disclosure of H1 bugs. It's a really hard sell in a lot of companies, so I think they should be applauded for that.
Yep. HTML is a huge surface, so just blocking "interesting" tags / attributes is fragile at best (Similar to misguided attempts to block SQL injection through string validation instead of cutting off the root cause).
The other moral of the story is you need to be extra careful to write a secure Electron program, since XSS is a bigger problem than it would be in a desktop browser. Step 3 shows that the RCE could execute programs outside of the JS environment.
Yes, blacklisting html tags instead of whitelisting (or parsing into some abstract form and reserializing) is a world of pain and very hard to get right.
Additionally, csp/iframe have a sandbox flag that can prevent navigating the _top target, which may have prevented this exploit assuming it could have been used (dont know what the slack code looks like, maybe there was some reason it wasn't applicable)
So Slack offers the guy a paltry $1,750, then attempts to take credit for his work while also screwing him out of his own disclosure.
This kind of response to security researchers just invites the next researcher to sell the exploit instead, or to actively exploit it.
Why does Slack seem like a company that is floundering? It took them over two years to release a simple feature like shared channels. It seems like the app is frozen in time and the company is doing nothing except keeping the lights on and waiting for Teams to obliterate them.
Slack turned from a hungry tiger startup into an exhausted lumbering enterprise giant whose primary weapon is litigation and mudslinging (Slack initially encouraged the Teams competition, then filed suit against Microsoft in perhaps the biggest case of corporate sour grapes in some time).
You think merging two or more organizations workspaces in a sane and secure manner after likely basing the entire app infrastructure around the idea of a single workspace is a "simple feature"? This is a textbook example of the classic HN comment "Why does this this company need X engineers to create Y product. I could do it in a weekend."
Except I never claimed it could be done in a weekend, only that it shouldn't take 1,600 employees two years to roll out a single feature while the main app has severe problems (zero error handling during downtime).
Then there's Slack's other "features", like the rich text editor nobody liked or wanted and that they initially refused to change.
Look at Teams' trajectory in the same timeframe.
Slack video calling is still bad. It's been years.
Considering their new desktop app didn't have even the most basic error handling for connection failures (during downtime people had bricked apps that displayed a white screen with a HTTP error), I have absolutely zero faith in Slack's engineering capabilities.
That's not an indictment of the engineers, but it's an indictment of the executives and managers responsible for the lazy stagnation they're currently in. The quality engineering is gone.
Headcount is way up, engineering budgets are way up, but feature velocity is non-existent. Meanwhile Teams is moving at lightspeed in comparison. While Teams might not be there yet, at least they're trying. Slack is doing nothing.
I had a very similar experience with Slack. We were working with their support team because we didn’t realize a vulnerability was present at first. We thought maybe we had misconfigured something. Basically, we could log in to Slack Desktop with user a, but sometimes the screen would blink, then you would have full access to user b’s chats, you were messaging as them, etc. The Slack team told us to clear our browser cache. We tried that and told them the issue didn’t seem to be tied to a browser. Slack just kept telling us to clear cache, but we were growing more alarmed by the app behavior as a standard user suddenly got access to an administrator account and was able to perform all functions. Finally, we started digging into it ourselves until we could reproduce the issue. Slack didn’t get serious with us until we sent them a recording of us doing it, then their responses got strange. All of our emails back to the technicians were getting intercepted by someone higher up in the company, and we were getting a lot of non-answers. We were told a fix was put in place, but they wouldn’t know what happened until they added additional logging in two months time.
I don’t know where I’m going with this, but the correspondence with Slack just felt off to me. I was also disappointed that we were shouting from the rooftops a serious vulnerability, and we kept getting responses like “clear cache, try reinstalling the app.”
Conclusion: if you have choice between Electron vs Web app, Use Web app. It's safer and battle tested for years. Electron apps will have their IE6, Flash and Java situations.
Under $2K seems very cheap for what what discovered. Did it take less than two days to do this exploit?
Perhaps the model should be an immediate price like the one that was offered, but also the ability to ask for more, confidentially. For instance you might feel this thing is worth more like $10k, and you could show the screengrab. Then the firm can decide whether to just pay up or haggle. And of course you still have Hacker One to arbitrate that the vuln is actually what was touted.
Nothing's perfect, of course there are holes in this idea as well.
> it is still possible to inject area and map tags
This is the critical oversight - what would be the reason to not use a whitelist instead, or even custom tags instead of plain HTML? Most of the existing libraries for sanitizing html work like that.
Curious what the hate for Slack is. I use a 1-person Slack workspace for personal note-taking and memory extension, and I find it is also a super useful tool to manage ideas, photos, shared files in romantic relationships.
For either use case the ability to write bots for it, and the fact that it syncs across devices with multiple simultaneous logins is awesome.
I have a 1-person workspace for personal note-taking and also a 2-person workspace for shared files/links/photos/etc. in a relationship.
I also find the 1-person workspace to sadly be the easiest way to transfer files between my computers and phones. Like for example when I need to take a PDF with me to the airport or elsewhere, I just drag the PDF into my 1-person Slack workspace and head out the door. Every other method I've tried involves more steps. The mobile clients of Dropbox and Google Drive make it unreasonably hard to actually download files.
Once you use it with a decent amount of people for work, things just get ‘lost’, because the frequency of messages in a channel is so high, info is missed, or employees working on different shifts need to spend a decent amount of time at the beginning of their day to review all the missed messages, some are relevant, most are not.
As you mentioned, there is also an inclination to send alerts or tasks to a channel, and similarly, the alert gets buried w additional messages, or you want up creating a bunch of ‘alert’ channels that you mute, or become hijacked and people start convos in those channels.
Also, the threading sucks. It is very difficult to get users to use threads.
Their desktop client is an abomination. Worst even among electron app. IIRC once it was spanning a process per identity. Because some manager decided to hire bootcamp webshits. It is possible to do much more decent apps with even electron.
And when an article about electron was posted, a person from Slack, 'javascript hacker at slack' in his bio, jumped to defend it without even putting a disclaimer.
Now they are treating a security researcher badly with this low bounties. This guy has good intentions and didn't want to sell it. But even if 10% of people sell it or use on behalf of nation state actors, imagine the dammage.
Pretty sure it is some shitty MBAs who don't even know about technology being there.
It is not welcome to be undeplomatic on HN, I know. But let me say this out. Fucking non technical people should not be allowed to decide on technical matters. But those shitheads generally have political abilities. That's what happened when Larry Page tried to oust those suits out of Google engineering divisions.
Sure the bounty is low, but ultimately it's their money and their decision. They will deal with the 'consequences' of others skipping their program and some public shaming.
I find everyone talking about black markets etc. kind of ridiculous. Really? You would sell something like this, so someone can be spied upon or maybe literally chopped to pieces? Jesus, not everything is about money - it was a fun challenge to chain it all together and I learned a lot from it.
The most outrageous part for me was the blog post I discovered by accident - it included no references or mentions (check archive.org). Both of the code snippets there are from my RCE reports. At the same time they were denying my requests for disclosure.
Of course, I understand that coordination mistakes like this happen, so I accept their apology and move on!
Evidence - original RCE video with huge CSS injection overlay: https://www.dropbox.com/s/11pv2ghdkw5g84b/css-rce-overlay.mo...