Home / Tech / News / Slack paid a mere $1,750 reward to the researcher who reported a critical vulnerability

Slack paid a mere $1,750 reward to the researcher who reported a critical vulnerability

Slack paid $1,750 reward for a desktop hijack vulnerability
Slack paid $1,750 reward for a desktop hijack vulnerability (Slack/Edited)

Slack’s bug could have allowed hackers to gain control of its millions of users through remote code execution. The company has already implemented a fix.

Slack, popular workplace communication and collaboration platform, has fixed a critical vulnerability that could have allowed hackers to gain access to users’ computers. The vulnerability was reported by a third-party security researcher through HackerOne bug bounty programme.

According to the researcher, the exploit could have allowed hackers to run a “remote code execution.” This would have given them access to users’ “private files, private keys, passwords, secrets, internal network access etc.” as well as private conversations and files within the platform.

“With any in-app redirect - logic/open redirect, HTML or javascript injection it's possible to execute arbitrary code within Slack desktop apps. This report demonstrates a specifically crafted exploit consisting of an HTML injection, security control bypass and a RCE Javascript payload. This exploit was tested as working on the latest Slack for desktop (4.2, 4.3.2) versions (Mac/Windows/Linux),” wrote the researcher in a post, now available to the public.

ALSO READ: Slack ‘Teams’ up with Amazon to take on Microsoft

Interestingly, Slack has paid the researcher a mere $1,750 for reporting the bug. Many researchers have criticised Slack for giving such little money for reporting such a critical bug. Some also pointed out that the researcher could have made more money by selling the data to another company.

Slack has also responded to the new bug report and amount paid to the hacker.

"Our bug bounty program is critical to keeping Slack safe. We deeply value the contributions of the security and developer communities, and we will continue to review our payout scale to ensure that we are recognizing their work and creating value for our customers,” a company spokesperson told Mashable.

According to the spokesperson, the vulnerability was fixed in February earlier this year.

Follow HT Tech for the latest tech news and reviews, also keep up with us on Twitter, Facebook, and Instagram. For our latest videos, subscribe to our YouTube channel.