Slack


reports in last 90 days

91

disclosed resolved issues

12

disclosed informative issues

0

disclosed N/A issues

Listed on HackerOne — Updated on 2019/10/15

Bug Title Bug Type Found By Report Info Report Status

High User-assisted RCE in Slack for macOS (from official site) due to improper quarantine meta-attribute handling for downloaded files

None supplied metnew Time to triage: 38 Days and 2 hours


Time to close: 199 Days and 3 hours
Resolved

Low Information leakage and default open port

None supplied freem0 Time to triage: 1 Days and 23 hours


Time to close: 500 Days and 11 hours
Resolved

Low Invitation reminder emails contain insecure links

Cryptographic Issues - Generic hanno Time to triage: 13 Days and 16 hours


Time to close: 422 Days and 12 hours
Resolved

Medium CSRF in github integration

Cross-Site Request Forgery (CSRF) asanso Time to triage: 1 Days and 7 hours


Time to close: 10 Days and 23 hours
Resolved

Critical Access of Android protected components via embedded intent

Privilege Escalation bagipro Time to triage: 19 Days and 2 hours


Time to close: 115 Days and 22 hours
Resolved

Medium HTTP parameter pollution from outdated Greenhouse.io JS dependency

Resource Injection irvinlim Time to triage: 1 Days and 20 hours


Time to close: 14 Days and 2 hours
Resolved

Medium The POODLE attack (SSLv3 supported) at status.slack.com

Cryptographic Issues - Generic cryptographer Time to triage: 21 Days and 9 hours


Time to close: 84 Days and 20 hours
Resolved

Medium Bypass of the SSRF protection in Event Subscriptions parameter.

Server-Side Request Forgery (SSRF) elber Time to triage: 40 Days and 4 hours


Time to close: 143 Days and 0 hours
Resolved

Medium SSRF in api.slack.com, using slash commands and bypassing the protections.

Server-Side Request Forgery (SSRF) elber Time to triage: 5 Days and 11 hours


Time to close: 189 Days and 5 hours
Resolved

High Real Time Error Logs Through Debug Information

Information Exposure Through Debug Information rubaljain Time to triage: 0 Days and 7 hours


Time to close: 10 Days and 16 hours
Resolved

Critical AWS bucket leading to iOS test build code and configuration exposure

Information Disclosure kiyell Time to triage: 3 Days and 0 hours


Time to close: 41 Days and 13 hours
Resolved

No rating XSS in gist integration

Cross-site Scripting (XSS) - Generic zemnmez Time to triage: 0 Days and 5 hours


Time to close: 57 Days and 18 hours
Resolved

Medium The POODLE attack (SSLv3 supported) at status.slack.com

Cryptographic Issues - Generic cryptographer Time to triage: 21 Days and 9 hours


Time to close: 84 Days and 20 hours
Resolved

Low HTML Injection inside Slack promotional emails

None supplied 0x0luke Time to triage: 8 Days and 7 hours


Time to close: 9 Days and 22 hours
Resolved

Medium Internal SSRF bypass using slash commands at api.slack.com

Server-Side Request Forgery (SSRF) albatraoz Time to triage: 1 Days and 12 hours


Time to close: 17 Days and 18 hours
Resolved

Medium HTTP parameter pollution from outdated Greenhouse.io JS dependency

Resource Injection irvinlim Time to triage: 1 Days and 20 hours


Time to close: 14 Days and 2 hours
Resolved

Medium Shared-channel BETA persists integration after unshare

Business Logic Errors oneiroi Time to triage: 22 Days and 7 hours


Time to close: 37 Days and 5 hours
Resolved

High Unauthenticated LFI revealing log information

Information Disclosure juji Time to triage: 0 Days and 14 hours


Time to close: 14 Days and 14 hours
Resolved

No rating Bypass two-factor authentication

Improper Authentication - Generic kamikaze Time to triage: 6 Days and 5 hours


Time to close: 8 Days and 6 hours
Resolved

No rating Race Condition in account survey

Violation of Secure Design Principles cablej Time to triage: 4 Days and 3 hours


Time to close: 400 Days and 6 hours
Resolved

No rating Many Slack teams can be joined by abusing an improperly configured [email protected] inbox

Improper Authentication - Generic securinti Time to triage: 7 Days and 7 hours


Time to close: 89 Days and 19 hours
Resolved

High The Custom Emoji Page has a Reflected XSS

Cross-site Scripting (XSS) - Reflected co3k Time to triage: 8 Days and 14 hours


Time to close: 0 Days and 17 hours
Resolved

No rating Code Injection in Slack's Windows Desktop Client leads to Privilege Escalation

Command Injection - Generic fbogner Time to triage: 7 Days and 14 hours


Time to close: 286 Days and 19 hours
Resolved

Critical Access of Android protected components via embedded intent

Privilege Escalation bagipro Time to triage: 19 Days and 2 hours


Time to close: 115 Days and 22 hours
Resolved

No rating a stored xss issue in https://files.slack.com

Cross-site Scripting (XSS) - Generic boniao_norwin Time to triage: 2 Days and 10 hours


Time to close: 0 Days and 20 hours
Resolved