Slack App Leaked Hashed User Passwords for 5 YEARS

Since 2017, if you’ve invited anyone to a Slack workspace, your password has leaked—albeit in the form of a salted hash. People are asking how this could have happened, and how it remained undetected for so long—more than five years.

This is a nasty insider threat risk because of the unintended leaked API result. It’s yet another example of why you should never reuse a password and always use 2FA/MFA when possible. Hashes can be cracked; scrotes gonna scrote.

Egg on someone’s face. In today’s SB Blogwatch, we double-check our password manager.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Summermash ’22.

‘One Way’ Hash — Yeah, Right

What’s the craic? Lily Hay Newman reports—“Slack Bug Exposed Some Users’ Hashed Passwords for 5 Years”:

Change your password
Slack is known for being easy and intuitive to use. But … one of its low-friction features contained a vulnerability, now fixed, that exposed cryptographically scrambled versions of some users’ passwords. When users created or revoked … a “shared invite link” that others could use to sign up for a given Slack workspace, the command also inadvertently transmitted the link creator’s hashed password to other members of that workspace.

The situation underscores the challenge of designing flexible and usable web applications that also silo and limit access to high-value data like passwords. … The company did not respond to questions … about which hashing algorithm it used on the passwords or whether the incident has prompted broader assessments of Slack’s password-management architecture.

The errant passwords weren’t visible anywhere in Slack … and could have only been apprehended by someone actively monitoring relevant encrypted network traffic from Slack’s servers. … Slack said the situation impacted about 0.5 percent of its users. … If you received a notification from Slack, change your password, and make sure you have two-factor authentication turned on. You can also view the access logs for your account.

Quick! What does Richard Speed think? “Slack leaked hashed passwords from its servers for years”:

Extracting a password is possible
Did Slack send you a password reset link last week? … It appears that all users who created or revoked … a shared invitation link for their workspace … between April 17, 2017, and July 17, 2022, are affected.

[That’s] 0.5 percent of users … which doesn’t sound too terrible until you consider how many Slack users are out there. [But] at least 50,000 could have been affected.

The problem is that while the passwords were hashed and salted … extracting a password is possible. … Miscreants are well versed in brute-force methods and it has been possible to harvest those passwords for years.

But what’s the danger, really? Kirk Strauser lays it on the line—“Slack was broadcasting hashed passwords for 5 years”:

If you’ve invited anyone to Slack in the last 5 years, and you use the same password for Slack and your bank, I hope you’re on friendly terms with all of your coworkers.

In summary, for 5 years Slack sent your hashed password to everyone on your Slack server every time you invited (or uninvited) someone to it. [It] leaves a few questions unanswered:

  • How can you have a major vulnerability like this for 5 years?
  • What hashing algorithm did they use? Argon2? MD5?
  • Did they use per-user salts or one global one?

Is it fair to point to the “five years” aspect? ShrunkenQuasar thinks so:

For how long, you say? How does a bug like that go unnoticed for so long?

ELI5? kirab explains like we’re five:

To recap the important part: Whenever you created or redacted an invite link, your password hash was sent to everyone online in your Slack.

Should Slack seek out the dev at fault? u/poodlebutt76/ thinks so:

Bruh. How did this even happen?

Someone literally had to pull the user’s password and put it in a string! Who is doing this in a tech company with a 21 billion market cap, who handles the internal comms and PII of most of the Fortune 500??

Git blame time.

How could such a bug have happened? cuuupid blows us a big kiiiss: [You’re fired—Ed.]

I’m willing to bet someone JSON.stringify’d the entire user object without realizing the password hash is in there.

The broader conversation I think here is facilitating a shift to passwordless. Magic links, OAuth, Yubikeys all make passwords redundant. If I put in a password, I still need MFA and I can reset my password with just MFA, so why do I need the password at all? Let’s just switch to MFA-only sign-on.

Slack kinda led the charge to magic links and passwordless, so it’s strange to see they’re still stuck on this. Many enterprise orgs have moved SSO setups to enforce solely passwordless already.

However, u/RomanRiesen has another theory:

Some engineer probably thought he might have to use it for auth purposes (when the invited joins) and then forgot about it or something.

This behaviour was probably intentional at some point and then forgotten. … Sounds a bit like a junior who took the “perfect one-way-function” assumption of hashes a bit too seriously—so basically me a few years ago, LOL.

Meanwhile, Locky enquires about the geographical location of the French capital:

A tool promoted by Marketing departments for years because, “It bypasses all those pesky IT rules,” … is insecure? I am shocked.

And Finally:

Bam! It Was About a Glimpse of Running up to First Class in Vegas

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Rubaitul Azad (via Unsplash; leveled and cropped)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 590 posts and counting.See all posts by richi