Sure the bounty is low, but ultimately it's their money and their decision. They will deal with the 'consequences' of others skipping their program and some public shaming.
I find everyone talking about black markets etc. kind of ridiculous. Really? You would sell something like this, so someone can be spied upon or maybe literally chopped to pieces? Jesus, not everything is about money - it was a fun challenge to chain it all together and I learned a lot from it.
The most outrageous part for me was the blog post I discovered by accident - it included no references or mentions (check archive.org). Both of the code snippets there are from my RCE reports. At the same time they were denying my requests for disclosure.
Of course, I understand that coordination mistakes like this happen, so I accept their apology and move on!
Evidence - original RCE video with huge CSS injection overlay: https://www.dropbox.com/s/11pv2ghdkw5g84b/css-rce-overlay.mo...
If you haven't had food for a few days everything is indeed about money. Either you reward someone properly for the work that they can do or they'll find someone else who does. I doubt most people get fuzzy warm feelings helping a big US corporation that's too greedy to actually pay independent researchers properly.
Edit: That's not to say your work wasn't cool btw. It's very admirable for you to view it the way you do.
More importantly, human history shows that ethics really are important. If you ignore ethics in the name of people starving, you build a society where even more people suffer and starve. If you want to build a society where everybody is safe and healthy, you need to pay attention to ethics now, not "someday".
It took many years to understand this.
I doubt anybody capable of finding an exploit like this is in that situation
But pretending software development isn't a well paying career path, in general, is a statistically incorrect statement
Yet the vast amount of hacks or attempts typically originate from China or North Korea...
There are a lot of young folks that try to make this their full time job after some success, then get into a dry spell. The panic robs them of the lateral thinking that brought them to the dance to begin with, and they get into spirals of ravenously hunting simple bugs that end up as dupes and out of scope.
- Work on a bounty program that rewards mitigations instead of exploits (e.g., https://www.google.com/about/appsecurity/patch-rewards/). Those are much more deterministic. (But there's no black market for them.)
- Get a conventional job (possibly in software, possibly not), which pays you on a schedule.
I get the argument you're making about money, but I'm having trouble believing that going after bug bounties ever makes sense to someone in that situation, given how non-deterministic it is to find a bug.
Also (as this bug shows), it typically takes a long time between reporting a bug and having the responding team decide that it merits a bounty. In this case it took a month. (And then there's logistics about actually getting you the money at that point.) Are people who haven't eaten for a few days really going to be happy not eating for another month, even if they get a hundred thousand dollars then?
https://hackerone.com/slack/bounty_table_versions?type=team&...
I work with some security engineers who in previous jobs used to write exploits for the highest bidder. Their stuff ended up being used for exactly this. One of them even told me quite proudly, you know that exploit that was in the news, that was mine.
The lack of any ethical framework other than "I want to make as much money as possible" viscerally disgusts me. And there is far too much of this in our industry, it's rife with this sort of ingrained dollar-chasing selfishness with not a care of the consequences.
Good on you for taking a positive ethical stand against this. It's very refreshing to hear.
That refers to "spied upon" or sth like "chopped to pieces"?
In which continent?
As a slack user, seeing them pay < $2K for RCE report does not make me feel safe. Next person finding something similar might be looking into this and saying "$3K? no thank you, I take the risk of getting caught but being paid fairly."
To be clear I am not advocating for this, but it makes me concerned as a user "some people" will be more likely to do it.
And yeah those companies in term work for 3-letter agencies and foreign governments. Of course many would consider selling to them unethical, but that would be absolutely legal.
>You would sell something like this, so someone can be spied upon or maybe literally chopped to pieces? Jesus, not everything is about money
Not me, not you, but many people make it all about money. I don't think it's ridiculous to think that people can have absolutely zero ethics.
99% of people saying something about black markets or govt agencies have never really faced this decision or thought about it for more than 5 minutes. So it was a question - have you REALLY thought about it?
This is profession where your actual skills mean very little until you do something exceptional to have portfolio or become famous some other way. It's very easy to talk about ethics for people who live in western countries and have easy access to well-paid jobs, but a lot of people didn't have such options.
I don't try to justify actual criminals here, but don't be surprised when people sell 0-days to some Israeli companies or NSA-contractors.
It would be interesting if security reporters had a habit of ending their reports with what they feel is the fair market rate.
Just sucks - marketing, legal, the engineer and peers who reviewed it, security..
Uh lol.
Bug bounties gravitate to their market value by showing companies how valuable they actually are and forcing them to learn.
In this case it was possible to abuse lack of context isolation to overwrite functionality (first part of the JS exploit). This changed function behaviour to return (leak) a BrowserWindow class (https://www.electronjs.org/docs/api/browser-window) when calling window.open(). A BrowserWindow class allows to instantiate a new window with your own security settings :)
Some of the current non-standard functions in Slack: https://imgur.com/a/OSjS0kJ
More info: https://www.electronjs.org/docs/tutorial/security
And frankly, we shouldn't be giving companies a pass for being cheap because "reporting it responsibly" is the right thing to do. These companies are benefiting to a great degree by offloading vital security research onto unaffiliated and unknown third-parties. Your time, as well as the time of any other hacker or researcher, is valuable and needs to be compensated. I don't see why it's fair to any of us that we should have to work for free or for low pay-outs just because we might be doing the right thing. Same goes for any other career that is badly paid just because "they're helping people".
However, bug bounties are not a job. Nobody is forced or obligated to do anything. I'm giving them 'a pass' in the future :) It's great people are discussing this and surely it will improve things for future researchers.
I consider bug bounties like competitions. The 'prize money' is defined beforehand. You don't have to compete if you don't want it. You can also compete for the 'notoriety'. Knowing the stakes, do you complain after getting 'first place'?
Everything you own or do is only worth as much as someone is willing to pay for it, everything else is just speculation.
Another approach is to take invoice for last security audit and simply pay the whole amount of that invoice to the researcher. If none was ever done (good God!), just some usual quote for pen testing the targeted application could be applied.
HackerOne could also enforce minimum payouts per exploit category.
Shouldn't people like you be able to do this for a living if you want to? It's valuable work. It has real market value. It seems like you're doing this for fun and genuine interest and I do admire that. Maybe you don't want to taint your motivation with the idea of "how much money can I get for this?" I get that too. But as an outsider, I see this low pay-out and I see exploitation under the guise of "doing the right thing". I genuinely want you to be paid more. You deserve it.
I feel like the only way this kind of thing will change is if people are more vocal about how inappropriate the low compensation is for a company like Slack. Public criticism is necessary and, unfortunately, the only tool we have nowadays to effect change. I understand if this isn't a hill you want to die on, but I hope that other people (particularly people who aren't in bug hunting) are willing to pressure Slack to reconsider its policies.
The problem with "others will ignore it in the future and ultimately they lose" is that it's a passive signal that is too easily overlooked and ignored. It never reaches anybody with any kind of influence who can make changes. If a big exploit happens and somebody does a root cause analysis, it's never going to lead to the conclusion that "well, it's because we haven't been paying enough in our bug bounty program, we need to change that", if only because there's no data about how many people passed on helping them out because of the low payouts.
Slack is directly taking advantage of that being the only alternative. You can do whatever you want with the money. However, having a robust bug bounty program ensures a wide range of people are both willing and able to look for and report vulnerabilities. This needs to be a requirement for any large successful company handling a large amount of user data. Slack can definitely afford it, and this can be used against them the next time they report a breach.
Stuff like that happen. We should only judge them if they screw up like that again.
$1,750 for a detailed report on a critical RCE is like rewarding sniffer-dogs with breadcrumbs. One could sell this exploit at least for 5 figures on the black market.
In all cases, since Electron brings XSS to the desktop, it is a hackers paradise.
I reported it on HackerOne, it was only after I refused to post it on their free program that they added me to their paid private one.
It was marked as "medium", I got $250 for it.
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L...
But I think how private that data is to the end user should also be taken into account. It’s a medium for technical risk (relative to server remote exec), but it should be seen as a high priority for the company and rewarded as such.
If an end user were to ask that company “why did you leak all my private data” their response would be “your data is worth less than $250 in human labour and is seen as a medium security risk”?
Don't undervalue the intangible permanence of doing the right thing, character outlasts cash come the grave.
Just curious - what makes XSS on the desktop different from other kinds of RCE vulnerability?
Electron used to default to insecure. You were basically running a web browser except with full access your entire machine file system/camera/mic/network etc. If you are an inexperienced developer it wasn't obvious that live linking to any 3rd party code could be an issue. Electron kind of fixed that. They warn you now and default to more secure. How many devs are capable of keeping it secure is up for debate.
As a related issue, it used to be (maybe still is) that by default, links you click in Electron open in Electron. So you make any app that accepts user data and links and suddenly people are browsing the entire net in an un-secured browser.
And worse, they break stuff. I made an electron app and explicitly made it so all links open in the user's browser. I updated to a new version and then to my horror found whatever I had done to make sure links opened in an external browser stopped opening links in an external browser.
Native apps can have exploits but most native apps aren't designed to be an environment for running arbitrary code. They're only an app for working on data.
Note, I love Electron, I've used it for several projects and it's great. But I'm also afraid of it and wish OSes were themselves more sandboxed so I didn't have to worry about it.
By the way, the security bounty should be mandatory to display to customers. It’s like saying “We don’t value the sum of all your data of all customers to more than $1750”.
A better solution would be to only allow a bug to be reported once per quarter, or once per version of the software. If someone finds a bug in v1.0 that's fixed in v1.1, then someone (even the same person) should be able to report the same bug in a different place in v1.1. That's an incentive for companies to use the report to secure the whole app rather than just fixing the reported issue.
But you might have the same vulnerability found in several different places. Reports should really only be considered duplicates if the fix to one automatically fixes the other also. Your bug found in multiple locations might happen to be set up that way -- or it might not.
This exact problem occurs frequently when a company with a bounty program makes an acquisition and brings the new software into scope for the program. The acquired code is often full of relatively easy-to-find, high-impact bugs. What I've seen people do in this case is open the scope, accept a certain number of reports, and then suspend eligibility for that software for a certain period of time.
This would look like "we've had a lot of similar bugs filed against company-we-acquired.com, and we're taking that domain out of scope for X weeks while we work on it."
I have no idea what I’m talking about but my guess would be that the security economics of finding an RCE make it very valuable. The disclosure would be worth considerably more to Slack than this bounty. Something in the order of months’ worth of skilled labour, not hours.
I suppose the economics also mean Slack only have to outpay the bad guys, so this is really showing us poorly compensated black hat labor is?
The vulnerability could do great to pown a company as long as you already have a compromised user account in the company. That's not a wormable RCE, that's not zero click (I'm not saying it's not bad).
Is there a market for high touch highly targeted attacks, maybe, if you can enter in business with the NSA or a ransomware group, those few who can monetize this sort of things. Good luck.
https://hackerone.com/slack?type=team
It says right on the tin what the payout is going to be. If you don't like the terms of the program, don't participate. It's not really that difficult a concept.
I assume that would be _one_ way to get companies to care more about rewarding people who spend substantial amounts of time researching their security
If someone doesn't like the terms of a particular bug bounty program, I would ask why they are doing research against that company to begin with. That's like someone really wanting kids dating a person that doesn't want kids and hoping they will change their mind after they see how awesome it will be. Almost without exception, if you read the comments from the individuals reporting the bugs, they will actually defend the status quo (as is the case here if you dig around). It's mostly just loud people in the vicinity of this trying to drive up the market.
Of course in my example I could try to incentivize said partner to have children by all sorts of unethical means, and there are certainly ways for researchers to try to incentivize corporations to increase bounty scope or payout by unethical means. This is generally considered 'extortion'.
Lastly I think it's also important to point out that legality has nothing to do with ethics, and I certainly believe there are cases where disclosure is warranted outside of any established paradigm of 'responsible disclosure' or bounty program.
My point was about the wider security economy. It feels like Slack are low balling for work which they have a moral duty (er, moral in the sense that spectres haunt Europe) to pay something more like a living / minimum wage for hackers.
Cool to see how they used the html injection gadget.
Seems like slack messed up with the blog post but made a sincere attempt to make amends.
I've noticed slack is pretty good about allowing disclosure of H1 bugs. It's a really hard sell in a lot of companies, so I think they should be applauded for that.
I guess the moral of the story is try to not having place where arbitrary HTML is injected?
The other moral of the story is you need to be extra careful to write a secure Electron program, since XSS is a bigger problem than it would be in a desktop browser. Step 3 shows that the RCE could execute programs outside of the JS environment.
Additionally, csp/iframe have a sandbox flag that can prevent navigating the _top target, which may have prevented this exploit assuming it could have been used (dont know what the slack code looks like, maybe there was some reason it wasn't applicable)
This kind of response to security researchers just invites the next researcher to sell the exploit instead, or to actively exploit it.
Why does Slack seem like a company that is floundering? It took them over two years to release a simple feature like shared channels. It seems like the app is frozen in time and the company is doing nothing except keeping the lights on and waiting for Teams to obliterate them.
Slack turned from a hungry tiger startup into an exhausted lumbering enterprise giant whose primary weapon is litigation and mudslinging (Slack initially encouraged the Teams competition, then filed suit against Microsoft in perhaps the biggest case of corporate sour grapes in some time).
Pay your security researchers properly, Slack.
You think merging two or more organizations workspaces in a sane and secure manner after likely basing the entire app infrastructure around the idea of a single workspace is a "simple feature"? This is a textbook example of the classic HN comment "Why does this this company need X engineers to create Y product. I could do it in a weekend."
Then there's Slack's other "features", like the rich text editor nobody liked or wanted and that they initially refused to change.
Look at Teams' trajectory in the same timeframe.
Slack video calling is still bad. It's been years.
That's not an indictment of the engineers, but it's an indictment of the executives and managers responsible for the lazy stagnation they're currently in. The quality engineering is gone.
Headcount is way up, engineering budgets are way up, but feature velocity is non-existent. Meanwhile Teams is moving at lightspeed in comparison. While Teams might not be there yet, at least they're trying. Slack is doing nothing.
I don’t know where I’m going with this, but the correspondence with Slack just felt off to me. I was also disappointed that we were shouting from the rooftops a serious vulnerability, and we kept getting responses like “clear cache, try reinstalling the app.”
Perhaps the model should be an immediate price like the one that was offered, but also the ability to ask for more, confidentially. For instance you might feel this thing is worth more like $10k, and you could show the screengrab. Then the firm can decide whether to just pay up or haggle. And of course you still have Hacker One to arbitrate that the vuln is actually what was touted.
Nothing's perfect, of course there are holes in this idea as well.
This is the critical oversight - what would be the reason to not use a whitelist instead, or even custom tags instead of plain HTML? Most of the existing libraries for sanitizing html work like that.
I hope Slack review the payment and give you a bit more.
For either use case the ability to write bots for it, and the fact that it syncs across devices with multiple simultaneous logins is awesome.
I also find the 1-person workspace to sadly be the easiest way to transfer files between my computers and phones. Like for example when I need to take a PDF with me to the airport or elsewhere, I just drag the PDF into my 1-person Slack workspace and head out the door. Every other method I've tried involves more steps. The mobile clients of Dropbox and Google Drive make it unreasonably hard to actually download files.
As you mentioned, there is also an inclination to send alerts or tasks to a channel, and similarly, the alert gets buried w additional messages, or you want up creating a bunch of ‘alert’ channels that you mute, or become hijacked and people start convos in those channels.
Also, the threading sucks. It is very difficult to get users to use threads.
Their desktop client is an abomination. Worst even among electron app. IIRC once it was spanning a process per identity. Because some manager decided to hire bootcamp webshits. It is possible to do much more decent apps with even electron.
And when an article about electron was posted, a person from Slack, 'javascript hacker at slack' in his bio, jumped to defend it without even putting a disclaimer.
Now they are treating a security researcher badly with this low bounties. This guy has good intentions and didn't want to sell it. But even if 10% of people sell it or use on behalf of nation state actors, imagine the dammage.
Pretty sure it is some shitty MBAs who don't even know about technology being there.
It is not welcome to be undeplomatic on HN, I know. But let me say this out. Fucking non technical people should not be allowed to decide on technical matters. But those shitheads generally have political abilities. That's what happened when Larry Page tried to oust those suits out of Google engineering divisions.
