Slack: Content Spoofing all Integrations in https://team.slack.com/services/new/

2014-08-01T15:11:46
ID H1:22093
Type hackerone
Reporter jaysonzabate
Modified 2014-09-03T18:12:16

Description

Hello There,

I've discovered 48+ content spoofing and confirmed all of your Integrations at https://team.slack.com/services/new/ is vulnerable to Content spoofing and exploitable to all users. Content Spoofing An attack technique used to trick a user into thinking that fake web site content is legitimate data and is an attack targeting a user made possible by an injection vulnerability in a web application. When an application does not properly handle user supplied data, an attacker can supply content to a web application, typically via a parameter value, that is reflected back to the user.

Proof of concept:

Buildbox: https://asdasda.slack.com/services/new/buildbox?error=Content%20Spoofing

Cloud 66: https://asdasda.slack.com/services/new/cloud66?error=Content%20Spoofing

Code Climate: https://asdasda.slack.com/services/new/code-climate?error=Content%20Spoofing

Codeship: https://asdasda.slack.com/services/new/codeship?error=Content%20Spoofing

Crashlytics: https://asdasda.slack.com/services/new/crashlytics?error=Content%20Spoofing

Datadog: https://asdasda.slack.com/services/new/datadog?error=Content%20Spoofing

Dropbox: https://asdasda.slack.com/services/new/dropbox?error=Content%20Spoofing

Envoy: https://asdasda.slack.com/services/new/envoy?error=Content%20Spoofing

Github: https://asdasda.slack.com/services/new/github?error=Content%20Spoofing

GoSquared : https://asdasda.slack.com/services/new/gosquared?error=Content%20Spoofing

Google Drive: https://asdasda.slack.com/services/new/gdrive?error=Content%20Spoofing

Google+ Hangouts: https://asdasda.slack.com/services/new/hangouts?error=Content%20Spoofing

Help Scout: https://asdasda.slack.com/services/new/helpscout?error=Content%20Spoofing

Heroku: https://asdasda.slack.com/services/new/heroku?error=Content%20Spoofing

Honeybadger: https://asdasda.slack.com/services/new/honeybadger?error=Content%20Spoofing

Hubot: https://asdasda.slack.com/services/new/hubot?error=Content%20Spoofing

IFTTT: https://asdasda.slack.com/services/new/ifttt?error=Content%20Spoofing

Jira: https://asdasda.slack.com/services/new/jira?error=Content%20Spoofing

Jenkins CI: https://asdasda.slack.com/services/new/jenkins-ci?error=Content%20Spoofing

Librato: https://asdasda.slack.com/services/new/librato?error=Content%20Spoofing

Magnum CI: https://asdasda.slack.com/services/new/magnum-ci?error=Content%20Spoofing

MailChimp: https://asdasda.slack.com/services/new/mailchimp?error=Content%20Spoofing

Nagios: https://asdasda.slack.com/services/new/nagios?error=Content%20Spoofing

New Relic:

Ninefold: https://asdasda.slack.com/services/new/ninefold?error=Content%20Spoofing

OpsGenie: https://asdasda.slack.com/services/new/opsgenie?error=Content%20Spoofing

PagerDuty: https://asdasda.slack.com/services/new/pagerduty?error=Content%20Spoofing

Papertrail: https://asdasda.slack.com/services/new/papertrail?error=Content%20Spoofing

Phabricator: https://asdasda.slack.com/services/new/phabricator?error=Content%20Spoofing

Pingdom: https://asdasda.slack.com/services/new/pingdom?error=Content%20Spoofing

Pivotal Tracker: https://asdasda.slack.com/services/new/pivotaltracker?error=Content%20Spoofing

RSS: https://asdasda.slack.com/services/new/rss?error=Content%20Spoofing

Raygun: https://asdasda.slack.com/services/new/raygun?error=Content%20Spoofing

Reamaze: https://asdasda.slack.com/services/new/reamaze?error=Content%20Spoofing

Rollcall: https://asdasda.slack.com/services/new/rollcall?error=Content%20Spoofing

Runscope: https://asdasda.slack.com/services/new/runscope?error=Content%20Spoofing

Screenhero: https://asdasda.slack.com/services/new/screenhero?error=Content%20Spoofing

Semaphore: https://asdasda.slack.com/services/new/semaphore?error=Content%20Spoofing

Sentry: https://asdasda.slack.com/services/new/sentry?error=Content%20Spoofing

StatusPage.io: https://asdasda.slack.com/services/new/statuspageio?error=Content%20Spoofing

Stripe: https://asdasda.slack.com/services/new/stripe?error=Content%20Spoofing

SupportFu: https://asdasda.slack.com/services/new/supportfu?error=Content%20Spoofing

Travis CI: https://asdasda.slack.com/services/new/travis?error=Content%20Spoofing

Trello: https://asdasda.slack.com/services/new/trello?error=Content%20Spoofing

Twitter: https://asdasda.slack.com/services/new/twitter?error=Content%20Spoofing

Userlike: https://asdasda.slack.com/services/new/userlike?error=Content%20Spoofing

WorkingOn: https://asdasda.slack.com/services/new/workingon?error=Content%20Spoofing

Zendesk: https://asdasda.slack.com/services/new/zendesk?error=Content%20Spoofing

Please download the screenshot proof of concept: https://www.dropbox.com/s/mnwa2pm1x4ziweg/slack%20content%20spoofing.rar

Regards, Jayson Zabate