O #slack! We found your stored PASSWORDS…
Aman Shakya February 15, 2021 Passwordless
Slack introduced a bug on 21st December 2020 that caused their android app to store user passwords in plain text on their local storage.
Slack communicated users to change their Slack passwords as well as to clear the Slack app data on android devices. The affected users’ passwords have been invalidated and they will be asked to set new passwords the next time they try to login.
Details shared by Slack
The problem occurred due to a bug introduced between December 21st and January 21st. Slack informed the Verge that the issue has now been resolved.
In their Email to the affected users, they have a few instructions for users to secure themselves:
- If you are an Android user then you need to change your password urgently
- Your password might be saved in your local storage in a plain text format.
- Clear the app data for Slack from the android device.
The problem with storing your passwords in plain text on the local storage is, other apps on the phone can potentially read those passwords directly. A malicious app on the phone can exfiltrate passwords which can be used to login to the affected app or other apps on which the user has re-used the password.
If you have used your slack credentials on any other platform, reset them immediately. If you have saved your slack password with Google, you can check it with Chrome’s Built in password check-up tool. Slack has also mentioned that users authenticating with SSO or Social Logins may not have affected by the bug.
The Password Problem
Its a basic practice or Information Security 101 to securely (SALT & HASH) store passwords. This is not the first time when a reputed global company is seen not adhering to this basic practice. Right from Facebook, Twitter, Social Captain (Instagram 3rd party service) has history of storing passwords in plain text. In 2019 Robinhood made headlines for storing passwords in plain text in their internal systems.
Go Passwordless!!! Adopting passwordless authentication eliminates the risk of password exposure due to insecure storage. An enterprise can also protect its users from password leaks and other phishing attacks without the need of additional 2FA/MFA or password managers.
Going passwordless drastically reduces enterprises attack surface, risk exposure and cost of authentication.
Connect with us to know how our PureAUTH platform integrates with Slack as well as other SAML enabled applications and makes an enterprise more secure and resilient.