Slack on Security: Posting Your Hashed Password To Others

In our research group, we use Slack. It still beats Teams for its interactions. But it is well-known that Slack is a slack of security, and…
Photo by Jonathan Kemper on Unsplash

Slack on Security: Posting Your Hashed Password To Others

In our research group, we use Slack. It still beats Teams for its interactions. But it is well-known that Slack is a slack of security, and where it has struggled to implement end-to-end encryption. But, nothing primed us for how poor their security actually is:

It is a particularly wordy email that most users would just ignore. But, it says:

The bug we discovered was in this invite link event along with the information about the shared invite link, the hashed password of the user who created or revoked the link was also included. This information was sent over the websocket to all users of the workspace who were currently connected to Slack.

Yikees! How bad is that? They send out someone’s hashed password within the Web link for others to use. That is like sending out a scrambled version of your password being posted to anyone who sends you mail in the post. I would not expect any of our first-year cybersecurity students to make such a novice approach. This is cybersecurity negligence of the highest degree, as the tools such as Hashcat can often link common passwords or sequences to a hashed version — even if the password is salted.

Conclusions

The recommendation from Slack is to reset your password and create a complex version. The main question here is why auditors and reviewers did not spot this novice error. This looks like a fundamental design architecture decision, and where no one checked it in the implementation of the code.