Slack Reset Users Passwords After Discovering Invite Link Vulnerability

U.S. software company Slack Technologies said in a blog post that it had proactively reset the passwords of 0.5 per cent of its users after discovering a vulnerability in “invite link.”

According to the company, the bug affected all users who created or revoked a shared invite link between April17, 2017 and July 17, 2022. The vulnerability transmitted hashed versions of user passwords to other workspace members.

The vulnerability was uncovered by an independent security expert and revealed to Slack on July 17 and affects more than 60,000 users.

While Slack claimed to have fixed the bug on the same day it was discovered and notified affected users that their passwords were reset 18 days later, the company was unable to take into account the 0.5 per cent number affected by the bug.

In an e-mail to affected customers, Slack stated that the hashed password of a user who created or revoked a shared invitation link was contained in the hidden events of raw data processed by Slack’s servers via a websocket processed by a Slack client app.

Slack explained that the hashed password is not stored or displayed in any Slack client. To detect these hashes, an encrypted monitoring of network traffic is required.

“We use a technique called salting to further protect these hashes. Hashed and salted passwords are secure but not perfect — they are still subject to being reversed via brute force — which is why we’ve chosen to reset the passwords of everyone affected,” Slack wrote in the email to affected customers.

IT World Canada Staff
IT World Canada Staff
The online resource for Canadian Information Technology professionals.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web