When visiting the homepage of slack.com, the HTML source code contains the following:
<noscript><meta http-equiv="refresh" content="0; URL="\/?nojsmode=1""></noscript>
However, something has gone wrong on Slack’s end where they’ve tried to escape
"/?nojsmode=1", which has resulted in the HTML being malformed (and I offer no clues as to why they would even be using quotation marks since that would have closed the
content tag anyway).
Visiting the homepage isn’t really important to me. Visiting the login page at https://slack.com/ssb/signin_redirect is, however. Due to this glitch, as soon as I visit https://slack.com/ssb/signin_redirect, I get redirected to https://ssb//signin_redirect?nojsmode=1 with no warning or explanation.
After contacting their support, I got nowhere. I was told it was deliberate, and that everything was working as intended – i.e. redirecting the user to an invalid website: “The behavior you are seeing now is the expected behavior, and not something we would take to our engineers to fix.”.
Finally, while writing up this blog post, I realized I could redirect the person browsing the website to any URL, which is effectively an open redirect vulnerability. So I reported it to their bug bounty.
Visiting https://slack.com/joshua%2Ehu redirects you to https://joshua.hu/.
In response to the bug bounty report, they simply responded:
We’ve gone from “this behavior is deliberate” to “this is considered a low-severity vulnerability” (which I completely agree with, and have no interest in collecting some $50 bounty for).
Then it hit me: this is probably a deliberate dark pattern for users to disable noscript on the Slack website, so it’s easier to track users.
Credit where credit is due. I responded to the bug bounty report again stating that I do not want a bounty, I just want this fixed:
and I received a response saying they will actively look into fixing it now, since it obviously isn’t how it should be:
We appreciate your concern. After discussing your comments internally, we agree that this behavior is not ideal, and we have determined we will address the behavior as a result of this report. That said, we still feel this behavior does not pose a significant security risk, and as such, we will unfortunately not be offering a bounty for this report. Please let us know if you have any further questions or concerns, and we’ll be sure to get back to you as soon as possible.
Yay! Let’s hope it gets patched soon enough.
Update: In fewer than 24 hours, it was fixed. Yay for bug bounties being useful for at least talking to a human!