The Exploitation of Massive Slack Workspaces Registration Vulnerability

I go by the name Sirat, but you can call me analyz3r. I’m a dedicated bug bounty hunter prowling the digital landscapes of HackerOne. Hacking isn’t just a hobby for me; it’s my profession, my passion, and my paycheck. With a wealth of experience under my digital belt, I’ve honed my skills in the art of uncovering vulnerabilities, particularly within the enigmatic realm of Slack. My journey has been paved with discoveries, each one adding to my repertoire of exploits. From infiltrating their fortress-like platform to reporting my findings through the channels of HackerOne, I’ve made it my mission to keep the digital frontier secure. And now, I invite you to delve deeper into my story, where every line of code holds a tale of triumph and tenacity.

The vulnerability detailed in this narrative isn’t attributed to Slack itself; rather, it pertains to Slack users. This vulnerability poses a threat to anyone utilizing Slack, making it a pertinent cautionary tale for all users of the platform.

As we delve into the intricate world of Slack, it’s essential to recognize one of its most prominent features: the ability for individuals within an organization to autonomously register for workspace access without the need for explicit invitations. This feature is particularly beneficial for large-scale enterprises seeking seamless onboarding processes, allowing them to efficiently approve internal users or employees for Slack workspace access. However, as we’ll soon discover, this convenience comes with its own set of vulnerabilities and potential pitfalls.

There’s a few steps and points required if you want to find this vulnerability and here I explain them.

Step 1: Identifying the Target Workspace

First things first: pinpointing the workspace of your target. This initial step can sometimes be straightforward. Keep your eyes peeled for clues; often, the workspace domain mirrors your target’s domain name or company title. For instance, let’s take our hypothetical target, SiratHub. In this case, the workspace URL could resemble the following:

https://sirathub.slack.com/join/signup#/domain-signup

Here, observe the subdomain “sirathub” within the Slack domain. Given its alignment with our target’s name, SiratHub, and its matching case, there’s a strong likelihood that this workspace belongs to the SiratHub company. This alignment significantly increases the probability of accuracy in identifying the target workspace.

Step 2: Verifying Registration Settings

Next up: determining whether the target has enabled registration on its workspace. It’s a breeze to check! Simply tack on “/join/signup” to the target’s workspace URL. For example:

https://targetwokspace.slack.com/join/signup

If registration is enabled, the interface should resemble the screenshot we previously observed for the SiratHub company workspace. Look out for the domain section, which serves as an email alias facilitating user signups. This verification step swiftly confirms whether registration functionality is active on the target workspace.

Step 3: Validating Domain Expiry

Now, let’s ensure that the domain utilized for signup expired or not.
Here’s the lowdown:
when the registration page is enabled, an associated domain serves as an email alias, facilitating workspace signups. For instance, in the case of SiratHub company, they leverage the domain sirathubgroup.com
However, here’s where the plot thickens: many workspace admins are blissfully unaware that their chosen domain may have expired. And guess what? An expired domain is akin to an open door for opportunistic attackers.
It presents a prime opportunity for them to swoop in, purchase the domain, and exploit it as an email alias to infiltrate the workspace as a member.
There’s also many ways to check if you can buy the domain or not, you can simply searching for the domain on godaddy.

In a nutshell, here’s the scenario:

the victim has previously utilized a domain for their Slack workspace registration page. However, unbeknownst to them, the domain has expired.
With the domain up for grabs, anyone can swoop in and purchase it. Seizing this opportunity, the attacker purchases the expired domain and cunningly employs it as an email alias to infiltrate the victim’s workspace. It’s a textbook example of exploiting oversight for nefarious gains.
It may even not because the domain expired, there’s can be a typo issue.

The ramifications of this vulnerability span from moderate to severe. Slack permits the uploading of various file types, exposing sensitive data to potential breaches. Additionally, user emails are publicly accessible within the workspace. Moreover, gaining member status grants extensive access to nearly all functions within the platform. While the primary concern lies in information disclosure, the exploit opens the floodgates to a plethora of critical attacks, exacerbating the threat landscape significantly.

I have currently found this issues in a few programs and the reports are triaged, this vulnerability can also be automated, this kind of vulnerability can also affect targets on different platforms which has same feature as slack register page.
This vulnerability has affected massive workspaces, this can be found in any programs.

Follow me on twitter: https://twitter.com/siratsami71