Slack, popular workplace communication and collaboration platform, has fixed a critical vulnerability that could have allowed hackers to gain access to users’ computers. The vulnerability was reported by a third-party security researcher through HackerOne bug bounty programme.

According to the researcher, the exploit could have allowed hackers to run a “remote code execution.” This would have given them access to users’ “private files, private keys, passwords, secrets, internal network access etc.” as well as private conversations and files within the platform.

“With any in-app redirectlogic/open redirect, HTML or javascript injection it’s possible to execute arbitrary code within Slack desktop apps. This report demonstrates a specifically crafted exploit consisting of an HTML injection, security control bypass and a RCE Javascript payload. This exploit was tested as working on the latest Slack for desktop (4.2, 4.3.2) versions (Mac/Windows/Linux),” wrote the researcher in a post, now available to the public.

Interestingly, Slack has paid the researcher a mere $1,750 for reporting the bug. Many researchers have criticised Slack for giving such little money for reporting such a critical bug. Some also pointed out that the researcher could have made more money by selling the data to another company.

Should the government demand companies pay more in bug bounties? Slack, a $20,000,000,000 company paid $1750 for an RCE as part of their bug bounty program.If the researcher sold it to a private company he would have made tens of thousands of dollars.

For all that effort, they got awarded $1750 Seventeen Hundred and FIFTY bucks. @SlackHQ firstly the flaws are a rather large concern, I mean validation is hard but come on, then pay properly, please. Because this would be worth much more on https://t.co/cqxDDdazqH

Our bug bounty program is critical to keeping Slack safe. We deeply value the contributions of the security and developer communities, and we will continue to review our payout scale to ensure that we are recognizing their work and creating value for our customers,” a company spokesperson told Mashable.

Source: https://tech.hindustantimes.com/tech/news/slack-paid-a-mere-1-750-reward-to-the-researcher-who-reported-a-critical-vulnerability-71598861278201.html

World news – US – Slack paid a mere $1,750 reward to the researcher who reported a critical vulnerability

Building on its expertise in the areas of digital, technologies and processes , CSS Engineering you in your most ambitious transformation projects and helps you bring out new ideas, new offers, new modes of collaboration, new ways of producing and selling.

CSS Engineering is involved in projects each customer as if it were his own. We believe a consulting company should be more than an advisor. We put ourselves in the place of our customers, to align we incentives to their goals, and collaborate to unlock the full potential their business. This establishes deep relationships and enjoyable.

Our services:

  1. Create professional websites
  2. Hosting high performance and unlimited
  3. Sale and video surveillance cameras installation
  4. Sale and Installation of security system and alarm
  5. E-Marketing

All our achievements here https://www.css-engineering.com/en/works/

LEAVE A REPLY

Please enter your comment!
Please enter your name here