Slack session hijacking

[UPDATE] An excellent article about the same issue has been posted by Detectify a few day after this one. Unfortunately Detectify was not aware of our post and had worked independently on this problem. Well they digged deeper and warned big webistes (Ars Technica, The Register, Observer, etc…) so the media impact has been very HUGE ! So huge that Slack listened to them and finally started to move by revoking public tokens.

Continue reading