At times, we’ve come to you with stories about security researchers being paid thousands — and in some cases hundreds of thousands — of dollars by companies for finding critical bugs in well-known software or hardware. However, this time, the story is different. It’s about a company that was stingy, and that’s not cool.
[referenced id=”1233185″ url=”https://gizmodo.com.au/2020/07/microsofts-doing-the-monopoly-thing-again-slack-says/” thumb=”https://gizmodo.com.au/wp-content/uploads/2020/07/23/cqndvmjttenentlhedoi-300×169.jpg” title=”Microsoft’s Doing the Monopoly Thing Again, Slack Says” excerpt=”Workplace messaging software company Slack is accusing Microsoft of monopoly behaviour in an antitrust complaint filed today to European Union regulators. Unsurprisingly, the accusations hinge on the same practice that helped make Microsoft rich in the first place.”]
According to Mashable and Bleeping Computer, Slack paid security researcher Oskars Vegeris $US1,750 ($2,375) for finding and reporting a bug that would have allowed hackers to hijack a person’s computer. To do this, all a hacker needed to do was upload a file and share it with another Slack user or channel on the app’s desktop version.
“With any in-app redirect – logic/open redirect, HTML or Javascript injection it’s possible to execute arbitrary code within Slack desktop apps,” Vegeris, who is also a security engineer at Evolution Gaming, wrote in a HackerOne report. “This report demonstrates a specifically crafted exploit consisting of an HTML injection, security control bypass and a RCE Javascript payload.”
Vegeris initially reported the problem to Slack in January, although the HackerOne report was just made public this past week. In the report, Vegeris said that the bug could give attackers “access to private files, private keys, passwords, secrets, internal network access, etc.,” and “access to private conversations, files etc. within Slack,” among others.
Considering the potential havoc that could have been caused had any of the above happened — let’s remember that Slack has at least 12 million daily active users — $US1,750 ($2,375) seems kind of… cheap. Add that to the fact that Slack published a blog about the bug and didn’t credit Vegeris’ work (although it apologised profusely, and apparently sincerely, afterwards) and it just seems like this researcher’s work was undervalued all around.
Some members of the security community also thought so and sharply criticised the company on Twitter.
“For all that effort, they got awarded $US1750 ($2,375),” wrote Daniel Cuthbert, co-author of the OWASP Application Security Verification Standard. “@SlackHQ firstly the flaws are a rather large concern, I mean validation is hard but come on, then pay properly, please. Because this would be worth much more on http://exploit.in.”
Slack, used by millions and millions for mission-critical design chats, DevOps, security, mergers, and acquisitions, hell the list is endless.
The flaws found by this researcher result in the execution of arbitrary commands on user’s computer.
The TL;DR is wow pic.twitter.com/aUAtelIPVw
— Daniel Cuthbert (@dcuthbert) August 29, 2020
Should the government demand companies pay more in bug bounties?
Slack, a $20,000,000,000 company paid $1750 for an RCE as part of their bug bounty program.
If the researcher sold it to a private company he would have made tens of thousands of dollars.
— Alon Gal (Under the Breach) (@UnderTheBreach) August 29, 2020
Wow a security researcher did the following:
– Achieved Remote Code Execution in Slack
– Disclosed it responsibility
– Was patient throughout the whole processReceived $1,750 ????https://t.co/m0l71vsw4o@SlackHQ are these payouts based upon the seriousness of the exploit? pic.twitter.com/oAyn1ZpUFU
— Umar Hansa (@umaar) August 30, 2020
The critiques are not without foundation. Finding bugs is hard work that often involves of lot of learning, effort and time. It’s also very competitive, which means that there’s always a risk another researcher could find the bug you’ve been looking into and report it first.
In a statement to Mashable, Slack said its bug bounty program was critical to keeping its app safe. It also added that it had implemented an initial fixed for the bug found by Vegeris in February.
“We deeply value the contributions of the security and developer communities, and we will continue to review our payout scale to ensure that we are recognising their work and creating value for our customers,” Slack said.
Bottom line, being stingy on critical issues like these is more serious than it sounds. As pointed out by members of the security community, selling a bug like this on the black market could have brought in a lot more money. If companies want to ensure their products are safe, they need to reward good behaviour and hard work consistently.