Remote Code Execution Is Only Worth $1,750 To Slack?
A critical remote-code-execution vulnerability affecting past versions of the Slack desktop app was disclosed on Friday after the software maker fixed its app.
The behind-the-scenes wrangling leading up to the patch has prompted criticism regarding the size of the bug bounty reward for the vulnerability, and the persistent deployment of insecure Electron framework software.
Back in January, Oskars Vegeris, a security engineer at Evolution Gaming, privately reported to Slack a remote code execution (RCE) vulnerability affecting version 4.2 and 4.32 of its desktop apps for Linux, macOS, and Windows via bug bounty program HackerOne.
The HTML code injection flaw could be exploited to run arbitrary code within a *.slack.com
trusted page, and in turn, run commands on the underlying and access a victim’s private files, passwords, and other data.
In practice you could exploit it by, for example, uploading a maliciously crafted JavaScript file to a server you control. You then compose a Slack Post that abuses the HTML injection vulnerability to include your remote payload, and share that post with a Slack channel or user. When they view the post, the file is fetched and run, granting you JavaScript code execution. Vegeris was rewarded with less than $2,000 for finding and reporting the hole.
“On January 28, we were alerted through our bug bounty program to a potential vulnerability within Slack’s ‘Posts’ feature that could allow an attacker to execute code on a victim’s computer,” a Slack spokesperson said in an emailed statement. “Posts are a feature that let you create, edit, and share fully-formatted documents directly in Slack, and are different from messages in channels or direct messages.”
According to the chat app maker, the initial fix was developed by February 20, rolled out to users, and no further action is required by netizens. Based on the fact that customers generally only grant workspace membership and Post authoring rights to people they trust, Slack believes it’s unlikely anyone was adversely affected.
By March, Slack had implemented a fix for the RCE portion of the vulnerability in version 4.4.0 of its desktop client. For his trouble, Vegeris was awarded $1,750, a paltry amount numerous bug hunters in the security community said was too small for such a significant find.
Asked about this, Slack’s spokesperson said, “Our bug bounty program is critical to keeping Slack safe. We deeply value the contributions of the security and developer communities, and we will continue to review our payout scale to ensure that we are recognizing their work and creating value for our customers.”
Electron security questioned
While this latest round of bugs in Slack has been fixed, other Electron-based apps like Microsoft Teams may still be vulnerable to similar attacks.
Electron is a cross-platform framework that allows developers to create desktop client code using HTML, JavaScript, and CSS that runs on Linux, macOS, and Windows, atop a Chromium-based browser foundation tied to Node.js. Known for being easy to use and hard to secure, it’s the basis not only of the desktop version of Slack, but also of Discord, Microsoft Teams, Microsoft Visual Studio Code, and the WordPress Desktop, among many others.
Salesforce plans to write Slack integration out of the equation by rolling its own messaging and collaboration app
Vegeris’s disclosure also prompted a social media discussion among members of the security community over the weekend about the shortcomings of Electron security.
“My fundamental complaint with Electron is that relatively basic usage still demands that non-security devs understand the full security properties of their system and scope broker usage appropriately,” said Justin Schuh, engineering director for Google Chrome, via Twitter. “That’s not reasonable, given it’s one of the hardest tasks for security experts.”
Two months ago, Slack published a blog post extolling the benefits of sandboxing in Electron and discussing the addition of a new Electron module called contextBridge
that provides a global object to allow safe communication between isolated contexts like the Node environment and the Chromium browser environment.
The post thanks Vegeris and Matt Austin for their bug reports. In an email to The Register, Austin, director of security research at Contrast Security, said it looks like Slack hadn’t been taking full advantage of the Electron sandbox mentioned in its post.
Austin told The Register he had previously reported several high-severity issues with the Slack desktop client, each of which took about three months to resolve and each of which resulted in a $1,500 payout.
He said that felt that was low, given Slack’s size – it has more than 12 million daily active users. He added that he doesn’t really care that much though he noted that he got paid much better for reporting a flaw in a Facebook Electron app.
Asked about whether Electron apps can be secure, he said, “It’s not that it can’t be done. It can. But for a long time, Electron has had a bunch of insecure defaults.”
Developers who built their apps using Electron defaults, he said, generally don’t want to refactor their apps to make them secure because that’s a lot of work. “You can lock it down but no app does it that way,” he said.
Austin pointed to Microsoft Teams as an example, saying that he had found a similar issue in the Teams app that he had reported and still isn’t fixed. The issue is complicated, he said, but if you’re part of a team and create your own workspace and add a user, there’s a bug that lets you trigger an RCE across an organization through an invitation.
It’s been more than a year, he said, and it hasn’t been fixed. Microsoft, he said, created a flag to disable the problematic feature but they have yet to push it to their customers. And he added that while Microsoft has a bug bounty program for the web version of Teams, the desktop client is out of scope.
Microsoft did not immediately respond to a request for comment.
Austin reiterated that the developers working on Electron have been responsible in responding to issues. His major concern is Electron’s insecure default settings. Some of these are slated to get breaking changes in upcoming releases.
“There’s another interesting issue in Electron,” he said. “By default, it has access to the webcam and the microphone. If I can load my own web page [in someone’s Electron app], I can turn on the mic and camera.” ®
READ MORE HERE