A cybersecurity firm in May found a potentially serious problem in Slack’s Windows client, which could let a malicious user intercept file downloads in the collaboration software. The bug was soon patched, but the incident raises questions about the safety of workplace chat software at large, especially if set up by users and unmonitored by IT staff.
The issue was discovered by David Wells, a researcher at cybersecurity firm Tenable, as part of HackerOne’s bug-bounty program.
“The vulnerability could allow a malicious hacker to manipulate a link in Slack that could be manipulated to cause user downloads to be uploaded to a hacker’s server, Tenable reported, “or change the document after it’s been downloaded but before the user has opened it. “The hyperlink text can be masqueraded by using the ‘attachment’ feature in Slack, which allows an attacker to replace the hyperlink’s actual uniform resource identifier with any custom text, possibly fooling users into clicking.”
If the link had been manipulated, "the attacker can not only steal documents downloaded in the Slack application, they can also manipulate the documents. For example, if financial documents like invoices are downloaded, the attacker could not only read account numbers but also change them. Additionally, if an Office Document (Word, Excel, etc.) is downloaded, the attacker's server could inject malware into it, so that, when opened, the victim machine is compromised.”
Wells said in a blog post that if the vulnerability is exploited, all of the files a user downloads in the future could also be hijacked until the user makes changes on his or her system. “While on the attacker’s server, the attacker could have not only stolen the document,” Wells wrote, “but even inserted malicious code in it so that when opened by a victim after download (through the Slack application), their machine would have been infected.”
Slack patched the vulnerability in an update to the Windows software, version 3.4.0. “Slack investigated and found no indication that this vulnerability was ever utilized,” Tenable reported, “nor reports that its users were impacted. As always, users are encouraged to upgrade their apps and clients to the latest available version.”
Earlier this year, Trend Micro researchers found malware that used Slack and Github to steal Windows users’ data. In response to the discovery by Trend Micro, Slack said in a statement: “We investigated and immediately shut down the single Workspace as a violation of our terms of service, and we confirmed that Slack was not compromised in any way as part of this incident. We are committed to preventing the misuse of our platform and we will take action against anyone who violates our terms of service.”
"These tools are not always secure, and malicious hackers know exactly how to trick users to their links,” says Sue Bergamo, CIO and CISO at Episerver. “No matter what the vulnerability is, cybersecurity threats are becoming bolder, more complex and are farther reaching. While users may object to all of the protections needed to process information, the fact is that there will never be enough to keep information secure. Keep your device’s operating system up to date with the latest security patches. Companies and their security teams have engaged in a never-ending battle to defend their data.”