Slack: Stored XSS in

ID H1:2625
Type hackerone
Reporter prakharprasad
Modified 2014-08-07T18:20:45



There is a stored XSS in

Steps to reproduce:

  1. Login to your Slack
  2. Goto "Create Private Group" and with any name and purpose
  3. Goto
  4. Upload a file hitting upload icon (^) filename shall be "><img src=x onerror=alert(1);>.jpeg
  5. After file is uploaded click on the image or file title, JS will execute as the filename is considered as payload

I've attached the image showing XSS.