White Hats - Nepal

When researching about MX records of slack.com, I noticed that they used a 3rd party email service. In that service, however slack.com was already claimed. After a little more research, I found that all the sub-domains of slack.com like teamname.slack.com also had MX set to the same service. These team domains were not claimed, so the emails for these domains could also be intercepted. What is the major issue with this? Could you send a message to your team from an email? These initial questions lead to a deeper research which discovered a critical vulnerability on Slack that would let me snoop into private slack messages. 

To do further research on the question and gather relevant information, I looked for any way that these emails were being used by Slack. While browsing the HackerOne page for Slack, I noticed that they stated about the Email app that could be used as a way to send a message to a channel through the email. This service however was only applicable to member plans Standard and above. So I upgraded my plan to Standard and started to research on it.

After I installed the Email app on my channel I was provided with an email in the form [hashedtext]@uraniumsecteam.slack.com. The hashedtext was randomly generated to make sure they cannot be enumerated because someone could use that to spam the channel. As I mentioned, the email had uraniumsecteam.slack.com as the email domain. I previously mentioned that it had MX, which could be claimed. I proceeded with the plan and set the route in a way that all emails coming to @uraniumsecteam.slack.com would arrive to my inbox.

Let’s talk about the exploit scenario. Team X has a domain at x.slack.com. They use the default Email app which is widely used in Slack. Through the email app, they have provided a private email, as an example [email protected]. An intruder then claims x.slack.com through the email service they used and sets the route to their personal email like [email protected]. Once this is done, despite the team members sending a message to [email protected] they would not receive it because the hacker just intercepted it. He could then chose to forward the message to team, modify or edit it.

 As soon as the issue was reported, it was escalated to tier 0 (critical vulnerability) because it possessed a significant threat where I could read messages of any team. A quick fix was then added by Slack, so that even if I claimed the domain, it would still reject the incoming email.  A permanent fix was then deployed, which still lets claiming the domain but the email will now go through the app and reach the channel instead of reaching attacker’s channel. 

Written by uranium238.

Thanks to Slack Security team for prompt response to the issue and generous reward.