Stored XSS in files.slack.com

We want to once again thank researcher @oskarsv for informing us of this issue. In the original submission that we previously disclosed here: https://hackerone.com/reports/783877, Oskarsv detailed a remote code execution vulnerability that hinged on the functionality of Slack’s “Posts” feature. More specifically, the “Posts” feature did not correctly perform input validation, leading to a cross-site scripting vulnerability that could be leveraged to achieve remote code execution in the Slack desktop client. At the time, it was possible to leverage most cross-site scripting vulnerabilities into remote code execution. We made the choice to spinoff the cross-site scripting portion of Oskarsv’s report into this HackerOne report to better track our internal work on the multiple issues at play. We promptly patched the mechanism that allowed for this exploit by fixing the input validation for files and Posts on the backend. Because the validation is performed on Slack’s backend rather than within the Desktop client itself, implementing this fix removed the need for any customers to update their version of the Slack client. We prioritized fixing this because without the cross-site scripting vulnerability, there is no known way to leverage the remote code execution; however, as mentioned, we still had more work to do to assure that no similar vulnerabilities could lead to the same level of impact. In fact, we had been working on this difficult problem for quite some time before this report, and had several in-flight projects to further harden the Slack desktop client to eradicate remote code execution opportunities. You can read more about the steps we took to achieve this defense-in-depth in our engineering blog post about the App Sandbox. Though it is not necessary to upgrade client versions to remediate this vulnerability, we do recommend that customers upgrade their Desktop client to at least version 4.4 in order to receive the benefits of the defense-in-depth work we have completed. We have shared this spinoff report to share more on this vulnerability, as it is the only known vector to enable the original RCE referenced above.