Notepad with Slack logo messaging app showing Slack bug affecting hashed password

Five-Year-Old Slack Bug Transmitted Your Hashed Password After Interacting With a Sharing Feature

A five-year old Slack bug shared your hashed password whenever you interacted with the vulnerable invitation feature, a new disclosure by the office team communication platform said.

The San-Francisco, California-based company said when users created or revoked a shared invitation link, the bug transmitted their hashed passwords to other group participants.

However, Slack clarified that the leak only affected users who created a shared invite link for their workspace between April 17, 2017, and July 17, 2022.

Slack bug did not display the hashed password on the client

The Salesforce subsidiary asserted that the Slack password was not visible anywhere on the platform or any client. Thus, only a threat actor actively monitoring Slack’s servers’ encrypted network traffic could intercept the hashed password.

However, the hashed password could still be logged alongside other packet data transmitted during the link creation and revocation.

Slack notified all impacted users and forced password resets for 0.5% or 50,000 out of the reported 10 million daily active users in 2019, among them 169,000 paying customers.

“Slack has informed all impacted customers and the passwords for impacted users have been reset,” the company said in the password reset notice blog post.

However, the number of users has likely changed since 2019, with more new users joining and some impacted individuals leaving for other team communication platforms.

The company also released an update to fix the 5-year-old Slack bug immediately after the discovery on July 17, 2022.

Hackers could obtain a plaintext passphrase from a hashed password

Slack was quite forthcoming with the exposure but did not disclose its hashing algorithm, although the exposed passwords were hashed and salted.

However, the company strongly believes that users’ credentials are ‘safe’ since it’s “practically impossible” to decrypt a hashed password.

“We have no reason to believe that anyone was able to obtain plaintext passwords because of this issue,” the company argued.

Hashing adds a layer of security to a password when exposed. However, threat actors can obtain a plaintext phrase from a password hash using various techniques such as rainbow table attacks and offline cracking.

Sharon Nachshony, Security Researcher at Silverfort, said hashing and salting the passwords reduced the impact of the Slack bug.

“Hashes of salted passwords being leaked is not as dangerous as exposing them in plain-text, as an attacker would have to use brute-force methods – essentially automating a script to guess passwords – which takes some time.”

However, using a global salt instead of a unique string for each user reduces the effectiveness of the salt. Similarly, weak algorithms such as MD5 for generating hashed passwords were prevalent in the not-so-distant past.

Evidently, the Slack bug is unlikely to endanger most ordinary users. However, many high-profile corporations and government organizations use Slack for official communication.

This situation makes the Slack bug a potential target for sophisticated attackers with the resources to obtain a plaintext passphrase from a hashed password.

Advanced persistent threat actors have proven capable of exploiting minor software bugs in the least unimaginable ways for cyber espionage and ransomware.

Meanwhile, Slack clients should check access logs for suspicious activity and enable two-factor authentication as a safety precaution, according to the company’s advisory.

Slack disclosed a 5-year-old bug that transmitted your hashed #password to other group participants after creating or revoking access to an invite link. #cybersecurity #respectdataClick to Tweet

“Incidents like these are once again a clear argument for users to enable MFA. If implemented correctly, this would alert the legitimate user to any authentication attempt on their behalf, denying any malicious access attempt,” Nachshony concluded.