Slack Plugs ‘Severe’ SAML User Authentication Hole

Cloud-based communications platform Slack finished patching a severe security hole Thursday affecting portions of its platform that used Security Assertion Markup Language for user authentication.

Cloud-based communications platform Slack finished patching a severe security hole Thursday affecting portions of its platform that used the Security Assertion Markup Language (SAML) standard for user authentication.

The flawed implementation of SAML by Slack impacted mostly enterprise customers who are its primary users as a means of authentication to access Slack accounts.

SAML is an open standard that defines how a company offers authentication and authorization for its services. It is the framework used to exchange data between an identity provider and a service provider in the context of accessing a user account. It’s also used for single sign-on implementations across multiple systems, platforms and other resources.

Researcher Antonio Sanso, a senior software engineer at Adobe, discovered the vulnerability in February. Slack confirmed the bug the following month, awarding him $3,000 for the discovery through its bug bounty program. According to Slack, the bug has been patched on affected systems.

“The vulnerability I found is part of the class known as ‘confused deputy problem,'” Sanso wrote on his personal blog outlining his discovery.

A confused deputy problem is type of privilege escalation vulnerability and describes a computer program that has permissions given to it for one thing, but misuses its authority and applies those permissions to something else.

In the case of Sanso, he discovered instances of a Slack SAML username/password authentication allowing past users of Slack (with an expired assertion) to regain access to a Slack account they are no longer permitted to access. An assertion is the XML rule that the service provider uses to make access-control decisions.

In another scenario, Sanso discovered an expired assertion could be used for more nefarious applications.

“To be more concrete I used an old and expired (yes the Assertion was also expired!!) Github’s Assertion I had saved somewhere in my archive that was signed for a subject different than mine (namely the username was not asanso aka me) and I presented to Slack. Slack happily accepted it and I was logged in Slack channel with the username of this old and expired Assertion that was never meant to be a Slack one.”

Slack declined to answer questions for this story only stating that the issue has been fully patch as of Thursday.

Suggested articles


  • Chris on

    What is really disappointing about this issue is that it took Slack 9 months to fix this from the time they were notified. That isn't ok. Bugs are unfortunate and, alone, are not enough to condemn anyone. An organization's true character is revealed when we see how they act after the issue is discovered. I think this reveals that they don't really give a ----.
    • zzz xyz on

      where do you get 9 months? The disclosure timeline shows 5 months at most,but Slack confirmed the issue the next day. And in 3 months awarded a bounty, but they may have patched the issue before that point. I'm a concerned Slack customer who tries to keep an eagle eye on their security posture, but we should get the facts straight.
      • Ankur on

        i think Chris might be reading the date notation on the timeline incorrectly. its DD-MM-YYYY, not MM-DD-YYY.
  • simone on

    Well arent't they slack ;)

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.