Slack bug could allow attackers to steal your files

With more than one million daily active users, Slack is up there with the world’s most popular business communications apps— for many it’s a critical component.

That reliance and the corporate information shared on the platform makes it a very attractive target for exploitation by attackers, and a recent find by cybersecurity firm Tenable found that could have easily been the case.

According to Tenable, a vulnerability was found in Slack’s Desktop Application for Windows version 3.3.7, which could have allowed an attacker to send a crafted hyperlink via Slack that, once clicked, could change the download location path to an attacker-owned file share.

The flaw has now been patched in Slack version 3.4.0, with users urged to check their version of Slack for Windows is up to date.

Reported by Tenable via its bug bounty program at HackerOne, Slack said an investigation revealed that there was no evidence that the vulnerability had been exploited.

If it had, it “could have allowed all future downloaded documents by the victim to end up being uploaded to an attacker-owned file server until the setting is manually changed back by the victim,” said Tenable researcher David Wells in a Medium post. 

With the document on their server, the attacker could have not only stolen the document, explained Wells, but could have inserted malicious code into its so when open by the victim, via Slack, their machine would have been infected.

“[…] the options from there on are endless,” Wells said.

Tenable co-founder and CTO, Renaud Deraison, said that the discovery should be a reminder of how the digital economy and global distributed workforce have introduced new threats to businesses in its strive towards “the ultimate goal of seamless connectivity”.

“[…] it’s critical that organizations realize this emerging technology is potentially vulnerable and part of their expanding attack surface. Tenable Research continues to work with vendors such as Slack to disclose our discoveries to ensure consumers and organizations are secure.”

While business users would be wise not to use platforms such as Slack to share potentially sensitive documents or information, many will do owed to its convenience. Other information may seem innocuous to the user but, to an attacker, could represent a breadcrumb in the chain of a wider attack.

On the discovery, Wells said the technique used to gain access could have been unmasked by “savvy” Slack users, adding, “if decades of phishing campaigns have taught us anything, it’s that users click links […]”