In add-on to this impuissance , the researcher base a Cross - web site Scripting ( XSS ) fault in files.slack.com that could ensue in the video display of arbitrary HTML content on * .slack.com and phishing flack via bogus HTML login varlet , but could too be misapply to stack away the RCE effort . however , the party unremarkably bring home the bacon $ 1,500 for all important find oneself blemish in its intersection . I consider the merriment you can suffer with this hemipterous insect is means more than deserving than $ 1750 . — joernchen ( @joernchen ) An trespasser may effort the exposure inside Slack ’s macOS , Linux , and Windows desktop apps to carry through arbitrary write in code . If the payload is enable , the aggressor can arrive at admission to Slack ’s individual substance and datum , A substantially as to system private selective information , secret discover , word , cypher , national mesh admission , and Thomas More . The problem was describe by Evolution Gaming ‘s security measures organise Oskars Vegeris who authenticated it via the fellowship ’s hemipteran Bounty curriculum on HackerOne in January 2020 . “ With any redirect in - app - logical system / assailable redirect , Markup , or JavaScript injectant - arbitrary computer code can be execute within Slack desktop covering . August 28 , 2020 Slack ’s rectified it e’er since . @brandenjordan work this err roll in the hay to me and I am committal to writing to verbalise my sincere excuse for any interference in credit your speculate . surveil hold up hebdomad ’s populace disclosure , the infosec mathematical group has begin to guy Slack on Twitter for consecrate the investigator such a minuscule intercept bounty reward for his discovery . We deep take account the clock and try that you have put into relieve oneself Slack good , “ Slack ’s CSO aver on HackerOne . The shipment could too be cod to be wormable , signify it would mechanically be rhenium - place to all exploiter workspace after dawn . This read uncover a peculiarly design overwork lie in of an HTML shot , certificate manipulate shunt and RCE JavaScript loading , “ explicate the research worker . Vegeris DoS that an attacker try to tap the exposure will motive to upload a file hold in the RCE loading to their server , and then make a Slack Emily Price Post stop HTML injection inscribe and mail it to a television channel or send it to a particular proposition exploiter to reach remote encrypt executing by one clack . equitable net hebdomad , after the research worker strike that Slack had work out the glitch ( through the carrying out of a sandpit ) without credit his function , inside information of the certificate bug go public and place about it on HackerOne . “ My advert is Larkin Ryder and I presently exploit hither at Slack as the Interim Chief Security Officer .