



Slack, the office communication platform, is known for being easy to use and intuitive. But the company said Friday that one of its low-friction features contained a vulnerability that is now being patched, revealing encrypted versions of some users’ passwords.

When a user creates or revokes a link called a shared invite link that other users can use to sign up for a particular Slack workspace, the command sends the link creator’s hashed password to other users in that workspace. I sent it to a member by mistake. The vulnerability affected the passwords of anyone who created or scrubbed a sharing invite link during his five-year period from April 17, 2017 to July 17, 2022.

Slack, now owned by Salesforce, said a security researcher disclosed the bug to the company on July 17, 2022. The incorrect password did not appear anywhere in his Slack and could only have been discovered by someone actively monitoring it, the company said. Relevant encrypted network traffic from Slack’s servers. The company said it’s unlikely that the actual contents of the passwords were compromised as a result of the flaw, but it notified affected users on Thursday and forced all users to reset their passwords.

According to Slack, this situation affected about 0.5% of users. In 2019, the company said his daily active user count surpassed his 10 million, which meant around 50,000 notifications. The company may have nearly doubled its user base by now. Some users who shared their passwords for five years may not be Slack users today.

The company took steps to implement a fix immediately and released an update on July 17, 2022, the same day the bug was discovered, the company said in a statement. Slack has notified all affected customers and passwords for affected users have been reset.

The company did not respond to questions from WIRED by press time about what hashing algorithms it used for its passwords or whether the incident prompted a broader evaluation of Slack’s password management architecture.

Jake Williams, director of cyber threat intelligence at security firm Scythe, said it’s disappointing that in 2022 we’re still seeing bugs that are clearly the result of threat modeling failures. Applications like Slack definitely perform security tests, but bugs like this that only occur in edge-case functionality are missed. And obviously, when it comes to sensitive data such as passwords, the risks are much higher.

This situation highlights the challenge of designing flexible, easy-to-use web applications that silo and restrict access to high-value data such as passwords. If you get a notification from Slack, change your password and make sure two-factor authentication is turned on. You can also view the access log for your account.

