![]() “People are way more likely to do things like click a Discord link than they would have been in the past, because they’re used to seeing their friends and colleagues posting files to Discord and sending them a link,” says Cisco Talos security researcher Nick Biasini. Instead, they simply take advantage of some little-examined features of those collaboration platforms, along with their ubiquity and the trust that both users and systems administrators have come to place in them. Cisco’s researchers warn that none of the techniques they found actually exploits a clear hackable vulnerability in Slack or Discord, or even requires Slack or Discord to be installed on the victim’s machine. In other cases, hackers have integrated Discord into their malware for remote control of their code running on infected machines, and even to steal data from victims. With growing frequency, they’re being used to serve up malware to victims in the form of a link that looks trustworthy. In the meantime, if you’re a Slack user feeling mildly queasy about the thought of your messages being made public, here’s where you can change message-retention settings.Cisco’s security division, Talos, published new research on Wednesday highlighting how, over the course of the Covid-19 pandemic, collaboration tools like Slack and, much more commonly, Discord have become handy mechanisms for cybercriminals. “Slack works very hard to ensure we don't ship known security flaws,” the Slack spokesperson said, “and the added brainpower of the developer and security communities is invaluable in keeping the service safe for everyone.” (Apple announced in August it would finally begin to offer cash bounties for valid bug reports.)īack at Slack, there’s a sense of urgency about any report of vulnerabilities-whether from within the organization, or from outside researchers, or hobbyists. It was Apple’s lack of a bug bounty program that may have prompted hackers to help the FBI unlock the iPhone that belonged to one of the attackers in the San Bernardino mass shooting in 2015. (That program launched after a hacker claimed he’d assumed control of a United flight.) United Airlines pays hackers in miles instead of cash. Google offers rewards of tens of thousands of dollars to hackers who identify vulnerabilities that could result in someone taking over a Google account. Twitter has paid more than $600,000, according to its page on Hackerone, a site where companies share information about their bug bounties. Facebook has paid more than $5 million to some 900 researchers in the past five years. In some cases these programs have resulted in massive payouts. Slack closed that security gap, too.īug bounty programs have been around since the early days of the web, but they’ve become more popular in recent years as a way to keep web users safe from “from criminals and jerks,” as Tumblr puts it in a description of its program. “In the worst case scenario, these tokens can leak production database credentials, source code, files with passwords, and highly sensitive information,” Detectify wrote at the time. “Once it was identified by the security researcher, we were able to fix it within five hours and confirm shortly after that it was not exploited in the wild.”Īn earlier Slack vulnerability discovered by researchers at Detectify last June had involved the code Slack used for custom bots, which contained tokens-or private credentials tied to individual accounts-and which developers were then copying to GitHub, the collaborative programming site. ![]() “This bug is exactly why we invest in our public bug bounty program,” a spokesperson for Slack told me. The company has paid more than $200,000 in bug bounties. Of the thousands of tips Slack has received, more than 500 have been valid bugs. (“The solution Slack made was a great one,” Rosén said.) ![]() While one group worked fixing the bug, another group of Slack engineers began investigating whether anyone had already exploited the security flaw (they found no evidence of this). ![]() In that time, Slack had started the work of determining whether the bug was real (it was) so engineers could begin coordinating a patch. Rosén submitted a report to Slack, detailing what he’d found, on a Friday evening. That’s the thinking behind the bug bounty program at Slack, the popular group-chat platform, which offers a pay-out to people who find and report legitimate security flaws that could be exploited by hackers.įrans Rosén, a researcher at the web security firm Detectify, described in a recent blog post how he identified a flaw that would have allowed him to steal an individual Slack user’s private token-thus enabling him to log-in as that person. One of the best ways to ward off hackers is to ask for their help. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |