Slack has revealed that a December app update accidentally left passwords unencrypted on Android smartphones and tablets for about a month.
A recent alert email was sent to users of the Loose application for Android devices asking them to update their passwords. While no violation was detected, a programming error was discovered that had left passwords unencrypted for about a month. As such, it is recommended that users change their passwords.
Slack is a team messaging app based on the idea of a ‘searchable log of all conversations and insights’, which also gives the app its name. Since Slack is already a word in the English language, this is known as a backronym rather than an acronym. The application uses persistent chat rooms with public or private groups and direct messaging, which makes it convenient for businesses and organizations that need to organize collaborative efforts.
The need for Android users to update their Slack password was revealed via an email from Slack Technologies. As Android Police Noted, the email may have been misinterpreted by some as a spoofing attempt to log into account, but it is genuine email. That being said, it’s best to always go directly to an app or website to update logins rather than click a link in an email, as false reports of needing to change a password are common scams. Android users should assume that their passwords may have been compromised and reset the password. Ideally, a different login should be used for each app and website, but if the password used with Slack was also entered for other accounts, they should also be changed.
Slack unencrypted password issue explained
The nature of the bug left passwords unencrypted and stored on Android phones or tablets in what security researchers and programmers call “plain text,” meaning the password can be read by someone who knows where to look. No other cracking effort or software would be needed to read the password. The issue arose with the update that was released on December 21, 2020 and was discovered on January 20, 2021. A fix was published in the app as an update the next day, so the passwords are no longer human readable, But there was a period of time when they were potentially vulnerable.
Slack is available for mobile devices, including Android, iOS, and iPadOS phones and tablets. There are also apps for Windows, Mac, and a beta version for Linux computers. It can also be used through a web browser. The only users affected by the password error were those with Android devices. As is the case with many security issues, it is not known whether the passwords were seen by unauthorized parties or not, but the safest approach is to assume that they were. Slack quickly resolved the issue once it was discovered and alerted users to take action.
Next: Slack, Skype, Google Hangouts and their surroundings are probably more secure than Zoom
How iOS 14.5 and Apple Maps Improve Traffic Information and Alerts
About the Author