TLDR; I was able to create a malicious page that would reconnect your Slack WebSocket to my own WebSocket to steal your private Slack token. Slack fixed the bug in 5 hours (on a Friday) and paid me $3,000 for it. Recently a bug I found in Slack was published on HackerOne and I wanted to explain it, and the method I used to discover it.
Using window.addEventListener(‘message’, func) and window.postMessage() to pass messages is a really convenient way of performing Cross-Origin communication. However, the biggest pitfall (which we’ve covered multiple times before) is not checking the origin of the message. Last week I was cruising around on Slack, using the version in the browser. In Chrome, there’s a really neat way of watching if any object has any listeners. You can find it below Event Listeners in the Elements-tab:
I noticed this was indeed the case for Slack, they were passing messages to