A security researcher has uncovered a flaw in Slack that could've been exploited to steal files over the business messaging app and potentially spread malware.
The flaw involves Slack's Windows desktop app, and how it can automatically send downloaded files to a certain destination—whether it be on your PC or to an online storage server. You can set a download location in the app's preferences section. However, David Wells, a researcher at the security firm Tenable, noticed there's another way to configure the option: Via a special link.
"Crafting a link like 'slack://settings/?update={ 'PrefSSBFileDownloadPath':
Wells realized the same function could be abused. Imagine a hacker using the links to secretly reconfigure a Slack desktop app to send all downloaded files to an outside server. "Using this attack vector, an insider could exploit this vulnerability for corporate espionage, manipulation, or to gain access to documents outside of their purview," Well's security firm Tenable said in a separate report.
Credit: david wells / medium / screenshotThe vulnerability can also pave the way for potential malware infections. Any downloaded files sent to the hacker-controller server can be altered and booby-trapped to include malicious code. The attack will commence once the victim opens the file on the Slack desktop app.
The main obstacle of carrying out this attack is circulating the hacker-created links to people on Slack, which keeps its channels private to paying clients and their companies. To pull this off, Wells noticed how Slack channels can be configured to subscribe to RSS feeds, including threads on Reddit.
"I could make a post to a very popular Reddit community that Slack users around the world are subscribed to," Wells said. The hacker-created link will then populate inside the Slack channel and possibly attract some clicks.
"This technique could be unmasked by savvy Slack users, however if decades of phishing campaigns have taught us anything, it's that users click links, and when leveraged through an untrusted RSS feed, the impact can get much more interesting," he added.
Slack has patched the flaw in version 3.4.0 of the Windows desktop app. "We investigated and found no indication that this vulnerability was ever utilized, nor reports that our users were impacted," the company said in an email.
(责任编辑:時尚)
U.S. pole vaulter skids to a halt for national anthemWordle today: Here's the answer and hints for May 7
'Succession' Season 4, episode 5: The GoJo deal explainedMicrosoft drops Twitter from its advertising platformOver 82,000 evacuate as Blue Cut fire rapidly spreads in southern CaliforniaSatisfy your Olympics withdrawals with Nike's latest app
Following in the footsteps of last year's successful launch of Nike's Tech Book is back in its secon
...[详细]How to eat pussy, according to sex experts
The timeless oral sexanthem, "My Neck, My Back" by rapper Khia, includes the renowned lyric: "Lick i
...[详细]Southwest Airlines flights were briefly grounded nationwide. What we know.
Southwest Airlines departures all over the country were briefly halted on Tuesday due to a computer
...[详细]Florida students 'Walkout 2 Learn' in opposition to Gov. Ron DeSantis
Florida students are taking a half-day Friday, not in anticipation of the weekend, but to walk out i
...[详细]Make money or go to Stanford? Katie Ledecky is left with an unfair choice.
This is Katie Ledecky's world right now, and the rest of us are just living in it. Want proof? Ledec
...[详细]Drake and The Weeknd's AI song 'Heart On My Sleeve' is scary good and totally fake
There's a new hit via Drake and The Weeknd that's taking over the internet — well, kind of. An
...[详细]Remembering Logan Roy: An obituary for 'Succession's CEO and family man
Succession's Logan Roy (Brian Cox) has died. The founder and CEO of Waystar Royco passed away on a f
...[详细]'Quordle' today: See each 'Quordle' answer and hints for June 19
If Quordleis a little too challenging today, you've come to the right place for hints. There aren't
...[详细]Xiaomi accused of copying again, this time by Jawbone
