The office communication platform Slack is known for being easy and intuitive to use. But the company said on Friday that one of its low-friction features contained a vulnerability, now fixed, that exposed cryptographically scrambled versions of some users' passwords.
When users created or revoked a link—known as a “Shared Invite Link”—that others could use to sign up for a given Slack workspace, the command also inadvertently transmitted the link creator's hashed password to other members of that workspace. The flaw impacted the password of anyone who made or scrubbed a Shared Invite Link over a five-year period, between April 17, 2017, and July 17, 2022.
Slack, which is now owned by Salesforce, says a security researcher disclosed the bug to the company on July 17, 2022. The errant passwords weren't visible anywhere in Slack, the company notes, and could have only been apprehended by someone actively monitoring relevant encrypted network traffic from Slack's servers. Though the company says it's unlikely that the actual content of any passwords were compromised as a result of the flaw, it notified impacted users on Thursday and forced password resets for all of them.
Slack said the situation impacted about 0.5 percent of its users. In 2019, the company said it had more than 10 million daily act...