Slack: Stored XSS in username.slack.com

2014-03-01T22:11:51
ID H1:2625
Type hackerone
Reporter prakharprasad
Modified 2014-08-07T18:20:45

Description

Hi

There is a stored XSS in username.slack.com.

Steps to reproduce:

  1. Login to your Slack
  2. Goto "Create Private Group" and with any name and purpose
  3. Goto https://manish.slack.com/messages/group/files/
  4. Upload a file hitting upload icon (^) filename shall be "><img src=x onerror=alert(1);>.jpeg
  5. After file is uploaded click on the image or file title, JS will execute as the filename is considered as payload

I've attached the image showing XSS.

Thanks!