Slack finally closes five-year-old security hole

The collaboration software Slack, which works similarly to Microsoft Teams, is used in many companies. However, a security vulnerability has existed since 2017, which has now finally been closed. Thus, hashes of passwords would be sent for years.

Slack security hole finally closed

As Slack tells, they recently asked around 0.5 percent of all users to change their passwords. While that may not sound like much at first, it’s a huge number. According to BusinessofApps, Slack had around 18 million active users in 2020, and the company itself spoke of more than 10 million daily active users in 2019.

However, Microsoft Teams began to outpace Slack as early as 2019. Before the start of the Corona pandemic the Microsoft collaboration software overtook the competitor’s user numbers for the first time.

According to Slack, the hashed passwords were generated by a bug, an invitation link for a workspace was created or recalled. In the process, the data had been mistakenly sent to all members of the corresponding workspace.

However, they were not visible to Slack customers, which is why it was necessary to closely monitor the encrypted incoming network traffic to find the problem in the first place.

An independent security researcher discovered the bug on July 17, 2022, and immediately reported it to Slack afterwards. All users who created or revoked an invitation link between April 17, 2017, and July 17, 2022, were affected, the company said.

What is a password hash?

With the help of a password hash, it is possible to store passwords securely and actually serves to improve data protection. Passwords are encrypted and converted into a fixed sequence of characters and symbols, so they are not available in plain text.

For this reason, it is impossible to read the direct password from a hash, writes Slack. It is also not possible to log in or authenticate a profile with the hash. At least that is what Slack emphasizes. However, this is certainly possible with the appropriate equipment.

Slack has asked all those affected to enter a new password and recommends that they also set up two-factor authentication to further protect their own account.