When establishing or revoking shared invitation links for workplaces, a bug revealed salted password hashes, therefore Slack claimed it reset passwords for around 0.5 percent of its users.
A cryptographic method known as hashing converts any type of data into a fixed-size output. Salting is intended to strengthen the hashing operation’s security and make it more resilient to brute-force attacks.
The flaw was found and patched in Slack’s Shared Invite Link functionality, which allows Slack workspace owners to generate a link that will allow anybody to join, according to official Slack documentation. The function is provided as an alternative to sending out individual email invitations to join the workplace.
All users who created or canceled shared invitation links between 17 April 2017 and 17 July 2022 are said to have been affected by the problem, which was discovered by an anonymous independent security researcher.
Bret Taylor, co-CEO of Salesforce, stated on the business’s most recent earnings call in May for the period ending April 30 that the number of customers investing more than $100,000 on Slack annually had increased by more than 40% on an annualized basis for four straight quarters. In July 2021, Salesforce completed the $27.7 billion acquisition of Slack.
The business claimed that no Slack client kept or displayed the hashed password and that active encrypted network traffic monitoring was necessary for its discovery. The business is also using the event to encourage people to enable two-factor authentication as a defense against account takeover attempts and develop original passwords for online services.
Read the full article here