Summary

SlackIn < 0.14.0 exposes Slack teams to a DoS on new members.

Background

Slack is a popular chat application.

Slack is not optimized for public teams, but many open source communities employ workarounds to use it anyway.

One popular workaround is SlackIn, a small application that allows anyone on the Internet to invite themselves to a Slack team.

Vulnerability

To prevent abuse, Slack disables new invites when fewer than 50% of previous invites have been accepted.

Revoking invites does not help:

Invitation limits are not affected by revoked invitations. They are based solely on the acceptance rate of invitations that have already been sent.

With SlackIn prior to a7467a51 (PR #311), it was trivial to flood a Slack team with garbage invites that would never be accepted, preventing legitimate new members from joining the team.

Mitigation

Version 0.14.0 of SlackIn adds Google reCAPTCHA to prevent garbage invites.

Upgrade SlackIn to avoid SlackOut.

Recovery

Slack provides a “shared invite” feature whereby a team can generate a link to a page where anyone can join the team. Links expire after 30 days or 1,000 invites, after which the team must generate a new link.

To recover from SlackOut, use shared invites until the team's acceptance rate is back above 50%.

Timeline

2015-01-26

rauchg launches SlackIn.

2016-09-07 ➟ 20 months later

avatsaev forks, adds reCAPTCHA, and submits a PR.

2017-05-25 ➟ 9 months

whit537 discloses the SlackOut issue to rauchg in private email.

2017-05-25 ➟ 2 minutes

rauchg responds, “I agree with you. There's a PR open to add Google captcha. Would you like to help land it?”

2017-05-26 ➟ 1 day

Slack support provides whit537 with the shared invite workaround.

2017-05-26

whit537 shows rauchg this webpage and agrees to help land the PR.

2017-06-01 ➟ 6 days

rauchg releases version 0.14.0, and whit537 publishes this page.

Please upgrade and spread the word!