DEV Community

Dishebh Bhayana
Dishebh Bhayana

Posted on

How I Took Over User Accounts Using Just Their Slack Member ID

🔐 TL;DR – Slack Integration Account Takeover Vulnerability

I discovered a critical vulnerability in a SaaS tool's Slack integration that allowed full account takeover using just a Slack Member ID.

Exploit Chain:

Convert Slack Member ID → Internal User ID

Use Internal ID → Fetch Session Token

Use Session Token → Get Bearer Tokens (access, refresh, id)

This gave unauthorized access to any user’s account. I responsibly disclosed it to the team, and they acknowledged and patched it promptly.

Discovery

While exploring the Slack integration of a SaaS tool, I noticed something odd: I was able to get the access token for any user by just using their slack user id.

In short, I could:

Convert any Slack Member ID into the internal user ID

Use that ID to fetch an authentication session token

Exchange the session token for full bearer tokens

With those, I had complete account takeover capability.

The Exploit Chain

Step 1 – Convert Slack Member ID to Internal User ID
An API accepted a Slack Member ID and returned the associated internal user identifier.

Step 2 – Use Internal ID to Fetch Session Token
A second endpoint accepted the internal user ID and returned a session token.

Step 3 – Use Session Token to Get Full Authentication Tokens
The final endpoint accepted the session token and returned a complete set of bearer tokens: access_token, refresh_token, and id_token.

This allowed me to take over any user’s account — view data, modify records, impersonate actions — all without their knowledge or consent.

Responsible Disclosure

I reported the issue privately to the team via email, along with a proof-of-concept video and clear reproduction steps. They acknowledged the issue promptly and patched it within days. I appreciated their transparent communication and quick resolution.

Top comments (0)