Slack paid a mere $1,750 reward to the researcher who reported a critical vulnerability
Slack’s bug could have allowed hackers to gain control of its millions of users through remote code execution. The company has already implemented a fix.
Slack, popular workplace communication and collaboration platform, has fixed a critical vulnerability that could have allowed hackers to gain access to users' computers. The vulnerability was reported by a third-party security researcher through HackerOne bug bounty programme.
According to the researcher, the exploit could have allowed hackers to run a “remote code execution.” This would have given them access to users' “private files, private keys, passwords, secrets, internal network access etc.” as well as private conversations and files within the platform.
“With any in-app redirect - logic/open redirect, HTML or javascript injection it's possible to execute arbitrary code within Slack desktop apps. This report demonstrates a specifically crafted exploit consisting of an HTML injection, security control bypass and a RCE Javascript payload. This exploit was tested as working on the latest Slack for desktop (4.2, 4.3.2) versions (Mac/Windows/Linux),” wrote the researcher in a post, now available to the public.
ALSO READ: Slack ‘Teams' up with Amazon to take on Microsoft
Interestingly, Slack has paid the researcher a mere $1,750 for reporting the bug. Many researchers have criticised Slack for giving such little money for reporting such a critical bug. Some also pointed out that the researcher could have made more money by selling the data to another company.
Should the government demand companies pay more in bug bounties?
— Alon Gal (Under the Breach) (@UnderTheBreach) August 29, 2020
Slack, a $20,000,000,000 company paid $1750 for an RCE as part of their bug bounty program.
If the researcher sold it to a private company he would have made tens of thousands of dollars.
For all that effort, they got awarded $1750
— Daniel Cuthbert (@dcuthbert) August 29, 2020
Seventeen Hundred and FIFTY bucks. @SlackHQ firstly the flaws are a rather large concern, I mean validation is hard but come on, then pay properly, please.
Because this would be worth much more on https://t.co/cqxDDdazqH
Slack has also responded to the new bug report and amount paid to the hacker.
"Our bug bounty program is critical to keeping Slack safe. We deeply value the contributions of the security and developer communities, and we will continue to review our payout scale to ensure that we are recognizing their work and creating value for our customers,” a company spokesperson told Mashable.
According to the spokesperson, the vulnerability was fixed in February earlier this year.
Catch all the Latest Tech News, Mobile News, Laptop News, Gaming news, Wearables News , How To News, also keep up with us on Whatsapp channel,Twitter, Facebook, Google News, and Instagram. For our latest videos, subscribe to our YouTube channel.