This issue was reported by an independent security researcher and disclosed to Slack on 17 July 2022. The company states that the bug affected all users who created or revoked shared invitation links between 17 April 2017 and 17 July 2022.
“When a user performed either of these actions, Slack transmitted a hashed version of their password to other workspace members. This hashed password was not visible to any Slack clients; discovering it required actively monitoring encrypted network traffic coming from Slack’s servers.” reads the advisory published by Slack.
Upon receiving the report from the security researcher, the company immediately addressed the flaw and investigated its potential impact on users. Slack pointed out that it doesn’t believe that anyone has obtained plaintext passwords exploiting this issue.
The company also added that it is practically infeasible to derive a password from the associated hash, and exposed hashes cannot be used to authenticate.
“All active accounts requiring a password reset are being notified directly with instructions. For information on password resets at any time, please visit our Help Centre: https://get.slack.help/hc/en-us/articles/201909068” concludes the advisory. “We recommend that all users use two-factor authentication, ensure that their computer software and antivirus software are up to date, create new, unique passwords for every service that they use and use a password manager.”
The bug is said to have impacted all users who created or revoked shared invitation links between 17 April 2017 and 17 July 2022, when it was alerted to the issue by an unnamed independent security researcher.
It’s worth pointing out that the hashed passwords were not visible to any Slack clients, meaning access to the information necessitated active monitoring of the encrypted network traffic originating from Slack’s servers.
-Prameet
