Of course, had that person wanted, they could have likely gotten much, much more money by selling it to a third-party exploit broker. For the security researcher, whose HackerOne handle is oskars, this resulted in a bug bounty payment of $1,750. It's worth emphasizing that the security researcher who discovered this vulnerability - a process that takes untold hours of work and is a literal job - decided to do what many would consider the right thing and report it to Slack via HackerOne. What's more, according to the disclosure, maliciously inclined hackers could have made their attack "wormable." In other words, if one person in your team got infected, their account would automatically re-share that dangerous payload to all their colleagues. Before Slack fixed it, an attacker using the exploit could have done some pretty wild stuff, such as gaining "access to private files, private keys, passwords, secrets, internal network access etc.," and "access to private conversations, files etc. Notably, the exploit allowed for something known as "remote code execution," which is just as bad as it sounds. Slack's internal security team didn't even find the bug rather, it was a third-party security researched who reported it, through the bug bounty platform HackerOne in January. The communications tool relied upon by journalists, tech workers, and D&D fans alike disclosed on Friday a "critical" vulnerability - now fixed - that would have let hackers run wild on users' computers. Slack and its scores of desktop app users just dodged a major bullet.
0 kommentar(er)
