Slack Is Resetting User Passwords Due to a Bug

Slack developers have notified about 0.5% of users that they are forcibly resetting their passwords due to a bug. They will need to change their passwords due to a recently fixed bug that exposed salted password hashes when creating or revoking invite links.

Let me remind you that we also wrote that ToTok messenger turned out to be a tool for total tracking, and also that UseCrypt Messenger developers filed a lawsuit against IS researcher for finding bugs.

The official announcement states that the mentioned bug was discovered and fixed in the Slack Shared Invite Link feature, which allows Slack Workspace owners to create special links. With such a link, anyone can join the conversation, and this feature was created as an alternative to inviting people one at a time.

On August 4, 2022, we notified approximately 0.5% of Slack users that we reset their passwords in response to a bug that occurred when users created or revoked a Shared Invite Link for their workspace. When a user performed either of these actions, Slack transmitted a hashed version of their password to other workspace members.Slack developers said.

Links created or revoked by users between April 17, 2017 and July 17, 2022 were found to expose their hashed passwords via web socket to all Slack-connected workspace members.

Such a hashed password was not visible in any Slack client; detection required active monitoring of encrypted network traffic originating from Slack servers. The error was discovered by an independent researcher and disclosed on July 17, 2022. Upon receiving the researcher’s report, we immediately fixed the underlying issue and then began to investigate its potential impact on our customers. We have no reason to believe that this bug has allowed anyone to obtain unencrypted passwords, however, for security reasons, we have reset passwords for all affected users.the Slack engineers explain.

Slack also reminded that all users are encouraged to use multi-factor authentication, as well as install updates in a timely manner and use up-to-date anti-malware tools.

What to do if Slack resets your password?

The developers claim that all active accounts requiring a password reset receive direct notifications with instructions. For information about resetting your password, you can visit the Slack Help Center at any time.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *