Slack admits password glitch – bug fixed after 5 years

The messenger service Slack, popular in the corporate environment, has been distributing password hashes to other users for the last 5 years.

A bug in the popular messenger service Slack, has been distributing password hashes of its users to other members of his work area. Affected users must enter a new password before the next login.

Slack transmitted password hashes to other users

As Slack reports on its blog, the company made a mistake in handling saved passwords. All users between were affected. April and the . July 2022 created or revoked shared invitation links for their workspace in the company’s software. A period of at least five years. The affected 0.5% of all Slack users received a notification on August 4th 2022 that their passwords had been reset. The next time you log in, the software will therefore ask you to assign a new password.

The passwords of users who shared their workspace in Slack were transmitted as a hash to other members of the workspace due to the error. However, these were never visible in the Slack clients. Active monitoring of encrypted network traffic from the Slack servers was required to make the hashed version of the password visible. Thus, the successful exploitation of the vulnerability required a certain technical expertise.

No danger to be expected, thanks to hashing and salting

Self if a person could have intercepted the password hash, depending on the hashing algorithm used and the complexity of the password, it is extremely time-consuming or almost impossible to determine the original password from it. Because hashing is usually a one-way street. The process is designed to be irreversible.

Additionally, according to Slack, the passwords were “salted” (salted), which adds more random characters to the password before hashing it for extra security. This significantly increases the computing effort to determine the original password.

It is still not impossible to calculate the password, but the effort is so enormous due to this method that that it is usually not worth bringing up for an attacker. He would have to wait several years to crack a single password. It would probably be less effort to evaluate the victim’s brain waves to get his password.

Slack claims to have fixed the error immediately after security researchers drew the company’s attention to it. “We have no reason to believe that this issue has enabled anyone to obtain clear-text passwords,” the company reassures its users. Resetting the passwords of all affected users is purely a precautionary measure.

Related Articles

Back to top button