How this team accidentally found a SSRF in Slack exposing AWS credentials! A $4000 bug bounty

Complex libraries lead to hidden attack vectors

This is an inspiring story for all bug bounty hunters of how a SSRF vulnerability was discovered in Slack, along with potentially many other web applications, by Brett Buerhaus, Cody Brocious, Sam Erb, and Olivier Beg’s. I will be detailing a more user-friendly version of their detailed “A Tale of Exploitation in Spreadsheet File Conversions,” and all the material I’m presenting is sourced from…