Slack is a cloud-based set of proprietary team collaboration tools and services,
Security researcher David Wells from Tenable discovered a critical flaw in version 3.3.7 of the Slack desktop app that could be exploited to steal and manipulate a targeted user’s downloaded
The issue is classified as a download hijacking vulnerability that can be triggered by tricking a user into clicking on a specially crafted link pasted into a Slack channel.
Wells discovered that that is it possible to use slack:// links to change change Slack app settings if clicked, including the
PrefSSBFileDownloadPath setting that specifies the location where a user’s files are downloaded. An attacker could use a specially crafted link that when clicked, changes the targeted user’s download destination to a path specified by the attacker, for example, a remote SMB share.
“Crafting a link like “slack
Wells also discovered that an attacker could manipulate the downloaded file stored in the location they set up.
“Furthermore, we could have easily manipulated the download item when we control the share it’s uploaded to, meaning the Slack user that opens/executes the downloaded file will actually instead be interacting with our modified document/script/
An attacker can inject malware into an Office file downloaded by the victim.
The links devised by the expert can be pasted to a Slack channel or a private conversation to which the attacker has access.
But, is it possible to
The expert discovered that an unauthenticated attacker can change the location of downloaded files using RSS feeds. Slack channels, in fact. can subscribe to RSS feeds to populate a channel with site updates which can contain links.
In this case, the hacker has to trick the victim into clicking on a specially crafted RSS feed link posted online. The download location can be changed even if the attacker has not access to the victim’s Slack workspace.
“While less effective, these hyperlink attacks could be done without Slack channel authentication, via external .rss feeds or other content pulled into a Slack channel from an external source that may contain attacker-crafted hyperlinks.” Tenable explained.
“This attack could be launched by someone outside of the organization but there are variables that might reduce the chances of success, like knowing which .rss feeds the target Slack subscribes to,”
The flaw has been classified as “medium severity” because it required user interaction. Slack awarded $500 the researcher under its bug bounty program.
Users should check that they are running the latest version.
I’m one of the finalists thanks to your support