One bug in Slack, the popular work chat application, was enough for a security researcher to design a hack that could trick users into handing over access to their accounts.
Bug bounty hunter Frans Rosen noticed he could steal Slack access tokens to user accounts due to a flaw in the way the application communicates data in an internet browser.
“Slack missed an important step when using a technology called postMessage,” Rosen said on Wednesday in an email.
PostMessage is a kind of command that can let separate browser windows communicate with each other. In Slack, it’s used whenever the chat application opens a new window to enable a voice call.
To read this article in full or to leave a comment, please click here
Source: News Feed