From bleepingcomputer.com
Slack has fixed a security flaw that allowed hackers to automate the takeover of arbitrary accounts after stealing session cookies using an HTTP Request Smuggling CL.TE hijack attack on https://slackb.com/.
Web security researcher and bug bounty hunter Evan Custodio reported the bug to the team collaboration platform’s security team via Slack’s HackerOne bug bounty program on November 14th.
The researcher discovered the vulnerability after targeting several HTTP Request Smuggling (1, 2) exploits on Slack in-scope assets using tooling he developed.