[johannh]

This is something that could definitely have been reported to Slack before disclosing it publicly. Maybe he did that, but it's not mentioned in the blog post so I assume he didn't.

It's just a nice thing to do and they might reward you for it. You can still post it on your blog after they released a fix.

[dchest]

It was reported to them before, they said it's not a bug:

   @rootlabs: Got the expected "not a bug" from @SlackHQ so
   feel free to see names of MSFT, Google chats via login
   info leak. http://t.co/kldKXN7NTf

https://twitter.com/rootlabs/status/499723782244675584

[4ndr3vv]

13th August? man, someone messed up.

[tiglionabbit]

This is hardly an exploit. Since no authentication is required in order to see the chatroom listings for any domain, we must assume that they meant for their chatroom directory to be public information. This may not be what their customers are expecting, though...

[ZoFreX]

It's not listing chatrooms, it's listing teams. Very different. For example, at the company I work we have two teams on Slack: Engineering and Marketing. Not really a problem if people find out that! The channel listing would potentially be more interesting, and this exploit does not allow you to see that (spoilers: it's "general", "random", and "cats").

[spacefight]

It's information disclosure at its finest. Something you _really_ want to avoid in a sensitive environment - which company internal comms certainly is.

[thecus]

It's a minor degree of information disclosure -- hardly at it's finest.

[tomp]

The way companies handle security disclosures lately (i.e. laughing it off, or paying $6 reward), it seems like shaming them would work much better. Plus, this is truly a beginner-level failure, the kind you'd get insulted for by Linus.

[ayrx]

Completely untrue about the people at Slack. I disclosed a pretty trivial vulnerability to them and got a $100 reward.

How about next time you stop generalising?

[crazypyro]

Well considering other people posted a tweet about someone trying to report it as a vuln on August 13th and getting told it's a feature, I'd say he's not exactly generalizing in this specific instance.

[tomp]

I'm not generalizing, and I don't really care about Slack. I'm just putting forward a hypothesis about what might be going on in a security researcher's brain when they stumble upon a vulnerability.

[tomjen3]

Pretty sure the going rate for a pen-tester is much, much higher than 100 usd an hour - and they would get paid even if they didn't find anything.

[smt88]

Why assume the worst about Slack just because some other companies have handled disclosures badly?

Real people work at Slack, and very few of them were likely responsible for this oversight.

OP could still pat him/herself on the back after disclosing and waiting for a fix.

[ankey1]

Slack has a Reporting Security Vulnerabilities page on its site: http://slack.com/whitehat. Seems like something they would have taken seriously if it had been brought to them first.

[nailer]

Apparently it was, see: https://twitter.com/rootlabs/status/499723782244675584

[richmarr]

Shaming Slack is one point. This guy just exposed the confidential information of who knows how many of Slack's customers. In my opinion that's douchery of epic proportions.

[anon1385]

Maybe this kind of exposure is the only way we will teach people to stop trusting fly-by-night cloud startups with their confidential data?

[TeMPOraL]

This. That was exactly a kind of vulnerability that is meant to be publicly disclosed. Nothing of matter will happen to anyone because of that vulnerability, but people might remember it and next time they'll think twice about how they handle authentication.

[richmarr]

So hurting people in order to teach them a lesson about not getting hurt?

[anon1385]

This was about the most minor kind of information leak you could imagine. I doubt anybody is going to feel any real 'hurt' from this.

In this case the information seems unlikely to contain anything sensitive pertaining to customers. If it had though then the companies that had negligently put sensitive information on untrusted servers would be held liable and could face significant fines (violating the Data Protection Act 1998 in the UK can lead to fines of up to £500,000 and similar legislation exists in other parts of the EU). That more serious kind of breach is the one we are trying to avoid by advising companies not to use cloud services.

[kordless]

The lesson can be had independently of the intent of douchery. Shit happens, and learning from your mistakes (by admitting them) is a fine way to get better at what you do.

[judk]

How about responsibly disclosing to the victims/users before going public?

[anon1385]

I don't see how that would be possible unless Slack has a full list of their customers available somewhere.

Note that elsewhere in this thread you can see that it was reported to Slack, but they responded saying it wasn't a bug.

[johannh]

True, but it still feels like the right thing to do.

I'd like people do be responsible when they discover a serious flaw in my programs, so I'll try to be responsible when discovering one in theirs.

Also Linus basically insults anyone for being alive.

[tomjen3]

Responsible disclosure serves is nothing more than a cover for bad software venders.

You are under absolutely no obligation to do work for free that these companies should have been doing in the first place.