[1500$ Worth — Slack] vulnerability, bypass invite accept process
Slack has a public bug bounty program on HackerOne platform, its released since 2014, I have never used slack before I look for bugs in slack, but once I saw how it works, I noticed that’s the target I was looking for, for long time.
Slack has team management functions such as inviting other users to your workspace, slack also allows the users to restrict invites that comes from other users, once a user joined your workspace, you can chat or call with them and some other features.
Its also not possible to invite users directly to your workspace, the user has to accept the invite, if the user has blocked your invites they cant even receive your invites.
After choosing slack as a target, I started to look for bugs in invite functions since I have good experience in this function, I was trying to figure out how is the slack’s invite function is working so I can know any reasons that takes my attention to bugs.
When I was inviting a user via its email address, their account type in the users management page will be (Invited member) as you see in this screenshot, which means the user is only invited for now, but the user didn’t invite the accepted yet:
I was playing with the invited user, I was trying to know if I can have any interactions without accepting the invite from them, I changed the invited users role to admin, the account type from (Invited member) changed to (Workspace Admin) as you see in this screenshot, and I really didn’t feel anything interested at first:
After looking at other functions, I got back to the user management, Im again changed the invited users role from (Workspace Admin) to (Full member), I expected Slack to change the account type from (Workspace Admin) to (Invited member) but no, the account type was changed to (Full member), that was weird and very interesting, because I was thinking why the (Invited member) account type disappeared? where did it go? LOL
I logged in to the invited members account, and I was able to see the attackers workspace as the workspaces which I was joined, this is means as victim I have joined the attackers workspace without even taking a look at the attackers invite…
I don’t know exactly why slack add the victim to the attackers workspace, but its definitely some logical issue which allows the attacker to trick slack to think its actually a joined member, not an invited member, here is the steps to add a victim to your workspace without accepting the invite from the member side:
1. As attacker of course you need a workspace and have enough permission to manage users
2. As attacker invite the victim you want to add to your workspace
3. As victim you will receive the invite from your email, but you don’t need any interactions with it
4. As attacker change the victims role to any other roles, such as workspace admin, you can also change their role back to full member, and the victims account type from (Invited member) should be changed to (Full member)
5. As victim log in to your slack account, you will see the attackers workspace is listed in the workspaces you have joined
Impact:
An attacker is able to bypass the invite accept process for the invited victims, this is allows the attacker to interact with the victims such as chatting or calling them or notifying them.
This is also allows the attacker to bypass the restriction of their invite, if the victim has already blocked the attackers invites, the attacker is able to bypass the restriction.
The awarded bounty is: 1500$
The report is already disclosed in my hackerone account: https://hackerone.com/analyz3r
I will have other writeup’s on slacks vulnerabilities, to see them you can follow my twitter account: https://twitter.com/siratsami71
I hope you all enjoyed the writeup, new writeups are coming so don’t forget to clap and follow, Thanks ❤.