Member-only story
Hack the slack app — Android $3,500 bug bounty
A while back now, I found a vulnerability in the slack android application. The vulnerability was due to a directory traversal which lead to being able to steal passwords. As I made the case in the bug report — the great thing (or bad, thing depending on your perspective) thing about this was that it would allow for ‘jumping’ between accounts — i.e. you can attack a user through account A, and through that, gain access to account B, C, D that they’re also logged into.
Background
Slack is an application which provides a chat-ops and is heavily used by many businesses for chat, voice calling, sharing files and, despite the best efforts of IT administrators, sharing passwords, keys and lots of other secrets. It’s safe to say that account takeover is a fairly undesirable outcome for any business.
The vulnerability
The core vulnerability in the android app was a directory traversal attack. By chance, I found a method of uploading files which would let me set the path by observing traffic in burp; interestingly using the official slack API didn’t let me do this, but the following script gives an idea of the path to upload the file:
response =…
