One of the best vuln write-ups I've read in a while, in that it steps you through how the initial entrypoint was found, and the steps needed to turn that into a dangerous exploit.

I think what really makes this writeup worth the read is the insight it shows into the thought process of identifying an interesting bug and weaponizing it. Thanks Frans!

The mitigation creating an a element seems a little bit awkward:

    if (!TS.utility.calls.verifyOriginUrl(evt.origin)) {
      return
    }
    ...
    verifyOriginUrl: function(originHref) {
            var a = document.createElement("a");
            a.href = originHref;
            return a.hostname == window.location.hostname
    },

Just out of curiosity, how long did it take for you to come up with this PoC? From the initial notice that something might be exploitable until you sent the email to slack?

Your post makes it look so easy, but it would surely take weeks for me to figure out all these things.

Exposing onmessage wasn't the best idea. Instead it should be something more restrictive with origin check built in.

addMessageListener("https://*.slack.com", function(data){})

Kudos to Slack for the quick fix! I've also been pleasantly surprised by their response times for bug reports, and even feature requests.

Wonder if their support team is proportionately larger than most startups, or if "10x Support Agents" are a thing?