π TL;DR β Slack Integration Account Takeover Vulnerability
I discovered a critical vulnerability in a SaaS tool's Slack integration that allowed full account takeover using just a Slack Member ID.
Exploit Chain:
Convert Slack Member ID β Internal User ID
Use Internal ID β Fetch Session Token
Use Session Token β Get Bearer Tokens (access, refresh, id)
This gave unauthorized access to any userβs account. I responsibly disclosed it to the team, and they acknowledged and patched it promptly.
Discovery
While exploring the Slack integration of a SaaS tool, I noticed something odd: I was able to get the access token for any user by just using their slack user id.
In short, I could:
Convert any Slack Member ID into the internal user ID
Use that ID to fetch an authentication session token
Exchange the session token for full bearer tokens
With those, I had complete account takeover capability.
The Exploit Chain
Step 1 β Convert Slack Member ID to Internal User ID
An API accepted a Slack Member ID and returned the associated internal user identifier.
Step 2 β Use Internal ID to Fetch Session Token
A second endpoint accepted the internal user ID and returned a session token.
Step 3 β Use Session Token to Get Full Authentication Tokens
The final endpoint accepted the session token and returned a complete set of bearer tokens: access_token, refresh_token, and id_token.
This allowed me to take over any userβs account β view data, modify records, impersonate actions β all without their knowledge or consent.
Responsible Disclosure
I reported the issue privately to the team via email, along with a proof-of-concept video and clear reproduction steps. They acknowledged the issue promptly and patched it within days. I appreciated their transparent communication and quick resolution.
Top comments (0)