This is a known fact and currently, there is no way you can redirect the links to open in the Incognito environment. Incognito not Supported: A vulnerability was detected with the Slack platform where the links did not support being open in Incognito mode.Incorrect default browsers might cause the issue here. Different Default Browser set: Slack is programmed to open the links which you click in the default browser which is set in your computer.The issue in Slack is now fixed both in the iOS app as well as in the web app and Slack paid out $1,000 for this bug. Also, I was able to learn a lot around the type of data that exists inside the clipboard in OS X.
AR from Slack joined my team and finally confirmed the two issues present, both in the web app and inside iOS:įor some reason, this issue was a hard one to prove, but I was glad that Slack took the extra step to join my test team to actually confirm the issue was present. Last method, see for yourselfĪs a last suggestion, I asked Slack to be invited to my own Slack team, that had both examples working. I sent this over to Slack as additional comments inside the report, showing them that this could be used inside their iOS app as well.Įven though I tried to make a clear Proof of Concept out of this, for some reason, Slack still wasn’t able to reproduce this. This method alerted the /etc/passwd of the iPhone using the link inside Slack as a PoC: This also triggered an event in their socket connection called Rocket: ) I noticed that by using the browser’s copy & paste, I was able to insert a new element with the malicious link present. How would I be able to show Slack that an issue was actually currently present? Was it actually possible to modify the payload to do something else than just an alert()? First method, proxying the Rocket socket This was interesting, because there was no way to actually create new links with the same behaviour. For some reason, some of the links inside the posts did actually have javascript:-as their protocol: When looking at Slack’s new editor for Posts a few months back, I noticed that my old posts using Markdown had been migrated to the new editor. Even though the payload was only working because of a legacy migration, by utilizing Python’s AppKit to insert data into Chrome’s rich-text-format clipboard, I was able to add and modify the XSS payload already inside Slack. TL DR, this is a walkthrough of a hard-to-reproduce bug I found in Slack a few months back.
0 kommentar(er)
