Messaging platform Slack fixed an exploit that could let hackers take over accounts and read archived messages after a researcher the reported the flaw, ZDNet found.

The exploit could have allowed hackers to steal user authentication tokens, which would have given them access to the individual’s account. The exploit was found and reported by researcher Frans Rosén.

“I was able to create a malicious page that would reconnect your Slack WebSocket to my own WebSocket to steal your private Slack token,” Rosén explained.

He first found the flaw after he noticed he could manipulate certain code functions on Slack, such as switching to other chats and controlling browser notifications. Rosén discovered other smaller exploits that let him drop calls and intercept messages, however those events were not “punchy enough,” he said.

Slack fixed the flaw in five hours, the researcher said. Slack wrote a summary about the issue and said:

@fransrosen discovered a vulnerability which would allow an attacker running a malicious site to steal XOXS tokens. We resolved the postMessage and call-popup redirect issues, and performed a thorough investigation to confirm that this had never been exploited.”

Slack also paid him $3,000 for reporting the bug.

RELATED STORIES
Software