Daniel15 · July 17, 2023 01:16
diff --git a/slack-invite-link-security-issue.txt b/slack-invite-link-security-issue.txt
 We are writing to let you know about a bug we recently discovered and fixed in Slack's Shared Invite Link functionality. This 
 feature allows you to create a link that will permit anyone to join your Slack workspace; it is an alternative to inviting 
 people one-by-one via email to become workspace members. You are receiving this email because you created and/or revoked one 
 of these links for your workspace between April 17, 2017 and July 17, 2022. We'll go into detail about this security issue below.

 Important things first, though: We have no reason to believe that anyone was able to obtain your plaintext password because 
 of this vulnerability. However, for the sake of caution, we have reset your Slack password. You will need to set a new Slack 
 password before you can login again.

 Now, for some technical details — feel free to skip the next two paragraphs if that doesn't interest you. When you're 
 connected to Slack, we keep your client updated using a websocket. When you have Slack open, the websocket is an always-open 
 stream of behind-the-scenes information, specific to just you and your account, that we use to push new information to your 
 Slack client. When a new message is posted, a new file is uploaded, a new emoji reaction is added, or a new teammate joins, 
 all of this information is sent to you over a websocket. The raw data streamed from Slack's servers over the websocket is 
 processed by the Slack client apps, but is not directly visible to users.

 One of the hidden events we send over the websocket is a notice that a shared invite link was created or revoked. The 
 bug we discovered was in this invite link event along with the information about the shared invite link, the hashed 
 password of the user who created or revoked the link was also included. This information was sent over the websocket 
 to all users of the workspace who were currently connected to Slack. The hash of a password is not the same as the 
 password itself; it is a cryptographic technique to store data in a way that is secure, and cannot be used to log 
 in as you. We use a technique called salting to further protect these hashes. Hashed and salted passwords are secure, 
 but not perfect — they are still subject to being reversed via brute force — which is why we've chosen to reset the
 passwords of everyone affected.

 What should I do?
 To set your new password, please use the following link:
 [snipped]

 When you do reset your password, we recommend selecting a complex and unique password. This is easiest to do by 
 using a password manager to help you generate and store strong, unique passwords for every service you use. 
 Additionally, we recommend using two-factor authentication with every service that provides it, including Slack, 
 for an extra layer of security. You can learn more about how two-factor authentication works on Slack and how 
 to set it up here:
 https://get.slack.help/hc/en-us/articles/204509068-Set-up-two-factor-authentication

 If you have additional questions, you can reply to this message or email us at [email protected]

 We know that the security of your data is important. We deeply regret this issue and its impact on you.
 Sincerely,
 The team at Slack	 
 

 Our Blog   |   Policies   |   Help Center   |   Slack Community
 ©2022 Slack Technologies, LLC, a Salesforce company.
 500 Howard Street, San Francisco, CA 94105 USA

 All rights reserved.
	We are writing to let you know about a bug we recently discovered and fixed in Slack's Shared Invite Link functionality. This
	feature allows you to create a link that will permit anyone to join your Slack workspace; it is an alternative to inviting
	people one-by-one via email to become workspace members. You are receiving this email because you created and/or revoked one
	of these links for your workspace between April 17, 2017 and July 17, 2022. We'll go into detail about this security issue below.

	Important things first, though: We have no reason to believe that anyone was able to obtain your plaintext password because
	of this vulnerability. However, for the sake of caution, we have reset your Slack password. You will need to set a new Slack
	password before you can login again.

	Now, for some technical details — feel free to skip the next two paragraphs if that doesn't interest you. When you're
	connected to Slack, we keep your client updated using a websocket. When you have Slack open, the websocket is an always-open
	stream of behind-the-scenes information, specific to just you and your account, that we use to push new information to your
	Slack client. When a new message is posted, a new file is uploaded, a new emoji reaction is added, or a new teammate joins,
	all of this information is sent to you over a websocket. The raw data streamed from Slack's servers over the websocket is
	processed by the Slack client apps, but is not directly visible to users.

	One of the hidden events we send over the websocket is a notice that a shared invite link was created or revoked. The
	bug we discovered was in this invite link event along with the information about the shared invite link, the hashed
	password of the user who created or revoked the link was also included. This information was sent over the websocket
	to all users of the workspace who were currently connected to Slack. The hash of a password is not the same as the
	password itself; it is a cryptographic technique to store data in a way that is secure, and cannot be used to log
	in as you. We use a technique called salting to further protect these hashes. Hashed and salted passwords are secure,
	but not perfect — they are still subject to being reversed via brute force — which is why we've chosen to reset the
	passwords of everyone affected.

	What should I do?
	To set your new password, please use the following link:
	[snipped]

	When you do reset your password, we recommend selecting a complex and unique password. This is easiest to do by
	using a password manager to help you generate and store strong, unique passwords for every service you use.
	Additionally, we recommend using two-factor authentication with every service that provides it, including Slack,
	for an extra layer of security. You can learn more about how two-factor authentication works on Slack and how
	to set it up here:
	https://get.slack.help/hc/en-us/articles/204509068-Set-up-two-factor-authentication

	If you have additional questions, you can reply to this message or email us at [email protected]

	We know that the security of your data is important. We deeply regret this issue and its impact on you.
	Sincerely,
	The team at Slack


	Our Blog \| Policies \| Help Center \| Slack Community
	©2022 Slack Technologies, LLC, a Salesforce company.
	500 Howard Street, San Francisco, CA 94105 USA

	All rights reserved.