Slack Technologies Inc. has fixed critical vulnerabilities in its desktop app, but the compensation paid to a researcher who uncovered the vulnerabilities has come in for criticism from the security community.

The vulnerabilities were discovered by security engineer Oskars Vegeris of Evolution Gaming in January and shared privately with Slack at the time. The vulnerabilities allowed an attacker to craft an HTML injection, security control bypass and remote code execution Javascript payload that would have allowed an attacker to hijack a user’s account.

One exploitable feature was found to be that files.slack.com was unfiltered, with the ability to insert an HTML file upload for storing the RCE payload directly without the need for attackers to use their own hosting.

“Since it’s a trusted domain, it could contain a phishing page with a fake Slack login page or different arbitrary content which could impact both security and reputation of Slack,” Vegeris explained at the time. “There are no security headers or any restrictions at all as far as I could tell and I’m sure some other security impact could be demonstrated with enough time.”

The attack would grant an attacker access to private files, private keys, passwords, secrets, internet network access, private conversations and more, all within Slack. Worse still, once through the door, an attacker could make the payload “wormable” and repost the code to all user workspaces after a click.

Still, the amount paid out to Vergeris is being criticized within the security community.

Bleeping Computer today described the payout, $1,750, as stingy. It noted that the general consensus on Twitter is that Slack, a $20 billion company with a messaging app used by major corporations, would have faced severe consequences had an exploit of this kind been sold on the dark web, a shady part of the internet reachable with special software. Further, critics noted that the Vergeris would have earned a far larger amount selling the details on the dark web as well.

For all that effort, they got awarded $1750

Seventeen Hundred and FIFTY bucks. @SlackHQ firstly the flaws are a rather large concern, I mean validation is hard but come on, then pay properly, please.

Because this would be worth much more on https://t.co/cqxDDdazqH

— Daniel Cuthbert (@dcuthbert) August 29, 2020

Worse still, Slack in a post two months ago promoted its “app sandbox” feature without disclosing the vulnerability or crediting Vegeris.

Slack apologized to Vegeris on the Hacker One disclosure page. “My name is Larkin Ryder and I am currently serving as the interim Chief Security Officer here at Slack. @brandenjordan made me aware of this misstep and I am writing to convey very sincere apologies for any oversight in crediting your work. We very much appreciate the time and effort you’ve invested in making Slack safer.”

While giving Vegeris credit is welcomed, questions still remain over Slack’s seemingly low payouts to security researchers who spend hours uncovering vulnerabilities that could cost the company millions if exploited.

Image: Pxfuel