August 8, 2022

U.S. software company Slack Technologies said in a blog post that it had proactively reset the passwords of 0.5% of its users after discovering a vulnerability in “invite link.”

According to the company, the bug affected all users who created or revoked a shared invite link between April17, 2017 and July 17, 2022. The vulnerability transmitted hashed versions of user passwords to other workspace members.

The vulnerability was uncovered by an independent security expert and revealed to Slack on July 17 and affects more than 60,000 users.

While Slack claimed to have fixed the bug on the same day it was discovered and notified affected users that their passwords were reset 18 days later, the company was unable to take into account the 0.5% number affected by the bug.

In an e-mail to affected customers, Slack stated that the hashed password of a user who created or revoked a shared invitation link was contained in the hidden events of raw data processed by Slack’s servers via a websocket processed by a Slack client app.

Slack explained that the hashed password is not stored or displayed in any Slack client. To detect these hashes, an encrypted monitoring of network traffic is required.

“We use a technique called salting to further protect these hashes. Hashed and salted passwords are secure but not perfect — they are still subject to being reversed via brute force — which is why we’ve chosen to reset the passwords of everyone affected,” Slack wrote in the email to affected customers.

The sources for this piece include an article in CIODIVE.