Mattermost is an Open Source, self-hosted Slack alternative, that has gained a lot of traction lately. It has a web, a desktop, and a mobile client, and is built using modern technologies like Go and Node.js. As Mattermost, like Slack, is a messaging platform for teams, it is likely to hold a fair bit of sensitive information, which makes it a juicy target for attackers. This presentation will cover an assessment of Mattermost, its design, implementation, and of course the vulnerabilities found in the assessment. A walkthrough of how an attacker could become a member of a team without being invited, escalate privileges to System Admin, gain remote code execution on a Mattermost user's desktop, and more will be presented. Finally, conclusions will be made about how these issues could have been avoided, and the general security posture of the platform and the technologies used.
Presented at Security Fest 2016.Speaker: Andreas Lindh
Andreas is a Security Consultant and Researcher at Recurity Labs. In his day job, he audits and assesses assorted systems and software, including mobile applications, embedded systems, web applications, and sometimes downright weird stuff. In his spare time, he hacks Open Source software for fun and non-profit. Before joining Recurity Labs, Andreas played defense as part of a small Managed Security Services team, doing intrusion detection, malware analysis, and all sorts of network hoopla. Before that, which is basically when dinosaurs roamed the earth, he worked for Volvo. Andreas has previously presented his work at events such as Black Hat USA, Virus Bulletin, Troopers, SEC-T, and various local OWASP gatherings. Every now and then, a journalist mistakes him for someone who actually knows something and quotes him in the media.