Security Audit

Our Web Application Pentest ( WAP) attempts to address the Owasp top 10 & SANS top 20 web application vulnerabilities and other exploitable loopholes of your web application . Along with it our WAP team also test web applications for Business logic flaws that can directly or indirectly effect the functioning of application.

Trainings

We are here to help you solve your biggest query- where and how to start? CDI has brought various courses in Ethical Hacking in Chandigarh where all you technology lovers will be given the much needed push to move forward and create a niche for yourself in the field. From Beginner to Expert level we have many kinds of training patterns.

Call Us : +91-771045-0011 | +91-771045-0022

Famous Work Chat Application “Slack” is Hackable, Security Researcher Frans Rosen Said

 

The “Slack” is a very famous application in the corporate world, which is available for mobiles as well as desktops. The employees and officials are using this application to communicate with each other and to transfer important documents. This work chat application is a bunch of important features. This application is available for iOS, Android, Windows, Linux and Mac OS X. This C++, ECMAScript and JavaScript based application had been released by “Slack Technologies” in August 2013.

 

Slack Application is Hackable

The security researcher Frans Rosen has submitted a video demonstration to “Slack Technologies”, in which he has explained that how an attacker could trick a Slack user to get the access of his account. Frans Rosen has designed an attack after doing research on the working method of the Slack application. The security researcher noticed that it is possible to steal access tokens of a Slack user account when it communicates with the internet browser.

 

Enroll For Online Certified Web Security Expert Course: Batch Start on 27 March, 2017

 

What is the Flaw?

According to Frans Rosen, the Slack is not using “postMessage” feature. This “postMessage” feature allows an application window to communicate with another application window within an internet browser. For example, when you click on a link to an application to open it into another window, then the new window communicates with the previous one due to this “postMessage” command. The Slack is using this feature only in the chat application when it opens a new window to enable a voice call.

 

Here you can see the video demonstration: https://goo.gl/W95y1m

 

So an attacker can steal the access tokens of a Slack account by opening a malicious web page in the new window alongside the Slack application. The “postMessage” feature validates the data within all the windows and nobody can intercept it. The Slack was not using this feature which allowed Frans Rosen to steal access token by hijacking the application. He created a malicious web page which forced the slack user account to hand over its access tokens.

 

Response of Slack Technologies

The company found this security vulnerability right after the investigation. Now it has been fixed by the company. The slack team also said that it was not exploited by anyone yet. The security researcher (Frans Rosen) approached the company through “Bug Bounty Platform” HackerOne.

 

Also Read: 

NextGEN Gallery WordPress Plugin is Vulnerable- Millions of Websites Are At Risk

Singapore- Government System Hacked, Information Stolen By Bad Actors

Adwind RAT is Back, Infected 1500 Organizations Worldwide

Leave a Reply

Name
Email id
Contact No
Comment

See more of Cyber Intelligence by logging in.
Connect with cyber security experts,Discover job opportunities,Online Training, Information Security Advisory and lot more.