A critical remote-code-execution vulnerability affecting past versions of the Slack desktop app was disclosed on Friday after the software maker fixed its app.
The behind-the-scenes wrangling leading up to the patch has prompted criticism regarding the size of the bug bounty reward for the vulnerability, and the persistent deployment of insecure Electron framework software.
Back in January, Oskars Vegeris, a security engineer at Evolution Gaming, privately reported to Slack a remote code execution (RCE) vulnerability affecting version 4.2 and 4.32 of its desktop apps for Linux, macOS, and Windows via bug bounty program HackerOne.
The HTML code injection flaw could be exploited to run arbitrary code within a *.slack.com trusted page, and in turn, run commands on the underlying and access a victim's private files, passwords, and other data.
In practice ..
Support the originator by clicking the read the rest link below.
