@cablej found a race condition in our account creation survey, which allowed a user to receive extra Slack credits. We investigated and fixed the issue. Thanks for the report @cablej!

Actions:

View on HackerOne

Reported by cablej

Vulnerability Details

Technical details and impact analysis

Violation of Secure Design Principles

There exists a race condition in the beginning survey, allowing a user to get $100 in credit multiple times. In my example, I made 2 asynchronous requests, and was credited with $200. POC: 1. Create a new slack team. 2. Set your password, and find the account creation survey. 3. Complete the survey, and intercept the request using a proxy such as BurpSuite. 4. Repeat the request asynchronously, such as in the command line by executing `(command) & (command)`. 5. The survey will be credited to your account multiple times. See the attached screenshot. Please let me know if you need any more information.

Report Details

Additional information and metadata

State

Closed

Substate

Resolved

Submitted

Weakness

Violation of Secure Design Principles