A popular workspace platform transmitted a hashed version of user password to other workspace members.
Slack notified approximately 0.5% of Slack users that they had reset their passwords in response to a bug.
The vulnerability, discovered by an independent security researcher and disclosed to the company in July, occurred when users created or revoked a shared invitation link for their workspace.
“When a user performed either of these actions, Slack transmitted a hashed version of their password to other workspace members. This hashed password was not visible to any Slack clients; discovering it required actively monitoring encrypted network traffic coming from Slack’s servers,” Slack noted.
The flaw affected all users who created or revoked shared invitation links between 17 April 2017 and 17 July 2022.
“We have no reason to believe that anyone was able to obtain plaintext passwords because of this issue. However, for the sake of caution, we have reset affected users’ Slack passwords. They will need to set a new Slack password before they can log in again,” Slack said.
More from Cybernews:
Subscribe to our newsletter