For more than five years, whenever a user created or revoked a shared invite link for a Slack workspace, Slack transmitted a hashed version of the user’s password to the other members of that workspace. Slack has automatically reset the passwords of the affected users and fixed the bug that led to the issue.
The bug affected about 0.5 percent of all Slack users, the company said, and Slack sent email notifications to all of those affected people on Thursday. In the notice, Slack said the issue occurred because Slack sends various types of information as hidden events through a websocket, which is open as long as a user has Slack open.
“One of the hidden events we send over the websocket is a notice that a shared invite link was created or revoked. The buge we discovered was in this invite link event along with the information about the shared invite link, the hashed password of the user who created or revoked the link was also included. The information was sent over the websocket to all users of the workspace who were currently connected to Slack,” the notice says.
The issue affected links created between April 17, 2017, and July 17, 2022, and Slack said an independent security researcher discovered and reported the bug to the company.
“This hashed password was not visible in any Slack clients; discovering it required actively monitoring encrypted network traffic coming from Slack’s servers,” Slack said in a blog post.
“The hash of a password is not the same as the plaintext password itself; it is a cryptographic technique to store data in a way that is secure, but not reversible. In other words, it is practically infeasible for a password to be derived from the hash, and no one can directly use the hash to authenticate.
The issue only affected a small fraction of Slack’s user base, and the good news is that Slack supports two-factor authentication through a number of different methods, including Duo, Google Authenticator, and others. Slack users can enable 2FA in their Account settings in each individual workspace.