Forked from Daniel15/slack-invite-link-security-issue.txt
Created
August 6, 2022 04:59
-
-
Save sskras/11e7861f8a7c4f20fbd867237e521e8a to your computer and use it in GitHub Desktop.
Revisions
-
Daniel15 renamed this gist
Aug 5, 2022 . 1 changed file with 0 additions and 0 deletions.There are no files selected for viewing
File renamed without changes. -
Aug 5, 2022 . 2 changed files with 48 additions and 27 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,48 @@ We are writing to let you know about a bug we recently discovered and fixed in Slack's Shared Invite Link functionality. This feature allows you to create a link that will permit anyone to join your Slack workspace; it is an alternative to inviting people one-by-one via email to become workspace members. You are receiving this email because you created and/or revoked one of these links for your workspace between April 17, 2017 and July 17, 2022. We'll go into detail about this security issue below. Important things first, though: We have no reason to believe that anyone was able to obtain your plaintext password because of this vulnerability. However, for the sake of caution, we have reset your Slack password. You will need to set a new Slack password before you can login again. Now, for some technical details — feel free to skip the next two paragraphs if that doesn't interest you. When you're connected to Slack, we keep your client updated using a websocket. When you have Slack open, the websocket is an always-open stream of behind-the-scenes information, specific to just you and your account, that we use to push new information to your Slack client. When a new message is posted, a new file is uploaded, a new emoji reaction is added, or a new teammate joins, all of this information is sent to you over a websocket. The raw data streamed from Slack's servers over the websocket is processed by the Slack client apps, but is not directly visible to users. One of the hidden events we send over the websocket is a notice that a shared invite link was created or revoked. The bug we discovered was in this invite link event along with the information about the shared invite link, the hashed password of the user who created or revoked the link was also included. This information was sent over the websocket to all users of the workspace who were currently connected to Slack. The hash of a password is not the same as the password itself; it is a cryptographic technique to store data in a way that is secure, and cannot be used to log in as you. We use a technique called salting to further protect these hashes. Hashed and salted passwords are secure, but not perfect — they are still subject to being reversed via brute force — which is why we've chosen to reset the passwords of everyone affected. What should I do? To set your new password, please use the following link: [snipped] When you do reset your password, we recommend selecting a complex and unique password. This is easiest to do by using a password manager to help you generate and store strong, unique passwords for every service you use. Additionally, we recommend using two-factor authentication with every service that provides it, including Slack, for an extra layer of security. You can learn more about how two-factor authentication works on Slack and how to set it up here: https://get.slack.help/hc/en-us/articles/204509068-Set-up-two-factor-authentication If you have additional questions, you can reply to this message or email us at [email protected] We know that the security of your data is important. We deeply regret this issue and its impact on you. Sincerely, The team at Slack Our Blog | Policies | Help Center | Slack Community ©2022 Slack Technologies, LLC, a Salesforce company. 500 Howard Street, San Francisco, CA 94105 USA All rights reserved. This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,27 +0,0 @@ -
Aug 5, 2022 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,27 @@ We are writing to let you know about a bug we recently discovered and fixed in Slack's Shared Invite Link functionality. This feature allows you to create a link that will permit anyone to join your Slack workspace; it is an alternative to inviting people one-by-one via email to become workspace members. You are receiving this email because you created and/or revoked one of these links for your workspace between April 17, 2017 and July 17, 2022. We'll go into detail about this security issue below. Important things first, though: We have no reason to believe that anyone was able to obtain your plaintext password because of this vulnerability. However, for the sake of caution, we have reset your Slack password. You will need to set a new Slack password before you can login again. Now, for some technical details — feel free to skip the next two paragraphs if that doesn't interest you. When you're connected to Slack, we keep your client updated using a websocket. When you have Slack open, the websocket is an always-open stream of behind-the-scenes information, specific to just you and your account, that we use to push new information to your Slack client. When a new message is posted, a new file is uploaded, a new emoji reaction is added, or a new teammate joins, all of this information is sent to you over a websocket. The raw data streamed from Slack's servers over the websocket is processed by the Slack client apps, but is not directly visible to users. One of the hidden events we send over the websocket is a notice that a shared invite link was created or revoked. The bug we discovered was in this invite link event along with the information about the shared invite link, the hashed password of the user who created or revoked the link was also included. This information was sent over the websocket to all users of the workspace who were currently connected to Slack. The hash of a password is not the same as the password itself; it is a cryptographic technique to store data in a way that is secure, and cannot be used to log in as you. We use a technique called salting to further protect these hashes. Hashed and salted passwords are secure, but not perfect — they are still subject to being reversed via brute force — which is why we've chosen to reset the passwords of everyone affected. What should I do? To set your new password, please use the following link: [snipped] When you do reset your password, we recommend selecting a complex and unique password. This is easiest to do by using a password manager to help you generate and store strong, unique passwords for every service you use. Additionally, we recommend using two-factor authentication with every service that provides it, including Slack, for an extra layer of security. You can learn more about how two-factor authentication works on Slack and how to set it up here: https://get.slack.help/hc/en-us/articles/204509068-Set-up-two-factor-authentication If you have additional questions, you can reply to this message or email us at [email protected] We know that the security of your data is important. We deeply regret this issue and its impact on you. Sincerely, The team at Slack Our Blog | Policies | Help Center | Slack Community ©2022 Slack Technologies, LLC, a Salesforce company. 500 Howard Street, San Francisco, CA 94105 USA All rights reserved.