Remote Code Execution in Slack desktop apps

I wrote that exploit &amp; report. Just some thoughts on comments here.<p>Sure the bounty is low, but ultimately it&#x27;s their money and their decision. They will deal with the &#x27;consequences&#x27; of others skipping their program and some public shaming.<p>I find everyone talking about black markets etc. kind of ridiculous. Really? You would sell something like this, so someone can be spied upon or maybe literally chopped to pieces? Jesus, not everything is about money - it was a fun challenge to chain it all together and I learned a lot from it.<p>The most outrageous part for me was the blog post I discovered by accident - it included no references or mentions (check archive.org). Both of the code snippets there are from my RCE reports. At the same time they were denying my requests for disclosure.<p>Of course, I understand that coordination mistakes like this happen, so I accept their apology and move on!<p>Evidence - original RCE video with huge CSS injection overlay: <a href="https:&#x2F;&#x2F;www.dropbox.com&#x2F;s&#x2F;11pv2ghdkw5g84b&#x2F;css-rce-overlay.mov?dl=0" rel="nofollow">https:&#x2F;&#x2F;www.dropbox.com&#x2F;s&#x2F;11pv2ghdkw5g84b&#x2F;css-rce-overlay.mo...</a>

They didn’t disclose for months, and when they did, they failed to credit the researcher who found the bug, and started their blog post by saying “This is a fancy way of saying we’ve dialed up the security of the app. It wasn’t unsafe before, but it’s double safe now.” That sucks.

Great report on a critical RCE vulnerability in Slack. However, I will bite.<p>$1,750 for a detailed report on a critical RCE is like rewarding sniffer-dogs with breadcrumbs. One could sell this exploit at least for 5 figures on the black market.<p>In all cases, since Electron brings XSS to the desktop, it is a hackers paradise.

$1750 for that?! Security researchers need to organize!<p>I have no idea what I’m talking about but my guess would be that the security economics of finding an RCE make it very valuable. The disclosure would be worth considerably more to Slack than this bounty. Something in the order of months’ worth of skilled labour, not hours.<p>I suppose the economics also mean Slack only have to outpay the bad guys, so this is really showing us poorly compensated black hat labor is?

One click RCE, not zero. $1,750 still seems a little low by H1 standards, but probably not by an order of magnitude.<p>Cool to see how they used the html injection gadget.<p>Seems like slack messed up with the blog post but made a sincere attempt to make amends.<p>I&#x27;ve noticed slack is pretty good about allowing disclosure of H1 bugs. It&#x27;s a really hard sell in a lot of companies, so I think they should be applauded for that.

Oh man, the use of &lt;area&gt; and &lt;map&gt; here is awesome. Not enough of a security guy to know if this is a typical approach, but it&#x27;s devious.<p>I guess the moral of the story is try to not having place where arbitrary HTML is injected?

Low payout aside, it&#x27;s too bad they didn&#x27;t properly credit the researcher when they disclosed the vulnerability. There&#x27;s always another path to getting paid for exploits: <a href="https:&#x2F;&#x2F;en.m.wikipedia.org&#x2F;wiki&#x2F;Market_for_zero-day_exploits" rel="nofollow">https:&#x2F;&#x2F;en.m.wikipedia.org&#x2F;wiki&#x2F;Market_for_zero-day_exploits</a>.

So Slack offers the guy a paltry $1,750, then attempts to take credit for his work while also screwing him out of his own disclosure.<p>This kind of response to security researchers just invites the next researcher to sell the exploit instead, or to actively exploit it.<p>Why does Slack seem like a company that is floundering? It took them <i></i>over two years<i></i> to release a simple feature like shared channels. It seems like the app is frozen in time and the company is doing nothing except keeping the lights on and waiting for Teams to obliterate them.<p>Slack turned from a hungry tiger startup into an exhausted lumbering enterprise giant whose primary weapon is litigation and mudslinging (Slack initially encouraged the Teams competition, then filed suit against Microsoft in perhaps the biggest case of corporate sour grapes in some time).<p>Pay your security researchers properly, Slack.

Conclusion: if you have choice between Electron vs Web app, Use Web app. It&#x27;s safer and battle tested for years. Electron apps will have their IE6, Flash and Java situations.

Under $2K seems very cheap for what what discovered. Did it take less than two days to do this exploit?<p>Perhaps the model should be an immediate price like the one that was offered, but also the ability to ask for more, confidentially. For instance you might feel this thing is worth more like $10k, and you could show the screengrab. Then the firm can decide whether to just pay up or haggle. And of course you still have Hacker One to arbitrate that the vuln is actually what was touted.<p>Nothing&#x27;s perfect, of course there are holes in this idea as well.

Damn. The next vulnerability will go for sale in dark hat circles for sure. Good job slackers.

&gt; it is still possible to inject area and map tags<p>This is the critical oversight - what would be the reason to not use a whitelist instead, or even custom tags instead of plain HTML? Most of the existing libraries for sanitizing html work like that.

Apparently Slack has changed their bounty program payment structure, and for RCE issues they&#x27;re now paying $5000 and up.<p><a href="https:&#x2F;&#x2F;hackerone.com&#x2F;slack" rel="nofollow">https:&#x2F;&#x2F;hackerone.com&#x2F;slack</a>

that&#x27;s why I stick to the web client

An electron app with an rce? Wow this is so unexpected never thought this would happen.

What an excellent write up.<p>I hope Slack review the payment and give you a bit more.

It is my belief that most people would not use Slack if it did not have the business buy-in it now has. Most people are forced to use Slack.

so... where did the article go?

They seem to be a company of bastard suits.<p>Their desktop client is an abomination. Worst even among electron app. IIRC once it was spanning a process per identity. Because some manager decided to hire bootcamp webshits. It is possible to do much more decent apps with even electron.<p>And when an article about electron was posted, a person from Slack, &#x27;javascript hacker at slack&#x27; in his bio, jumped to defend it without even putting a disclaimer.<p>Now they are treating a security researcher badly with this low bounties. This guy has good intentions and didn&#x27;t want to sell it. But even if 10% of people sell it or use on behalf of nation state actors, imagine the dammage.<p>Pretty sure it is some shitty MBAs who don&#x27;t even know about technology being there.<p>It is not welcome to be undeplomatic on HN, I know. But let me say this out. Fucking non technical people should not be allowed to decide on technical matters. But those shitheads generally have political abilities. That&#x27;s what happened when Larry Page tried to oust those suits out of Google engineering divisions.