Slack just adverted what could have been a big disaster for its users.
The work-and-chat startup said Thursday that it fixed a security bug that if hackers exploited, could have led to criminals reading people’s private chats and communications. Coins2Day is a customer of Slack.
An altruistic hacker, Frans Rosén, reported the bug to Slack, which fixed the bug roughly five hours later. Slack paid $3,000 Rosén for spotting and reporting the error, Rosén said.
After fixing the bug, Slack said that it “performed a thorough investigation to confirm that this had never been exploited.”
Get Data Sheet, Coins2Day’s technology newsletter.
As tech news website ZDNet explains, Rosén discovered a way to steal user security tokens, which are essentially used to doll out who is allowed to access the appropriate Slack accounts.
Once Rosén obtained the tokens, he could log into different Slack accounts and trick the system into believing he was a sanctioned-user.
Rosén reported the error on the bug-reporting service of cybersecurity startup HackerOne, and wrote a detailed technical account of how he was able to exploit the security bug.
Rosén’s effort to help Slack is an example of how companies use so-called bug bounty programs to reward honest hackers who spot security problems before criminals can exploit them.
For more about cybersecurity, watch:
For example, Google (GOOG) said in February that it gave $3 million to good-guy hackers in 2016 for discovering security vulnerabilities in its various products and services.