Tenable researchers expose vulnerability in Slack
Bad actors could have leveraged the flaw for corporate espionage or file manipulation
A recently-discovered vulnerability in the Slack desktop application for Windows could have allowed an attacker to alter where a victim’s files are stored when the documents are downloaded within Slack.
The flaw was unmasked by researchers at cybersecurity firm Tenable. Slack has since released version 3.4.0 to address this vulnerability.
Slack has become a critical tool for many organisations looking to keep their employees connected. The vulnerability, which was found in Slack Desktop Application for Windows version 3.3.7, could have allowed an attacker to send a crafted hyperlink via a Slack message that, once clicked, changes the document download location path to an attacker-owned file share. By exploiting the flaw, an attacker can not only steal future documents downloaded within Slack, but they can also manipulate them, such as injecting malicious code that would compromise the victim’s machine once opened.
“The digital economy and global distributed workforce have brought new technologies to market with the ultimate goal of seamless connectivity,” said Renaud Deraison, co-founder and chief technology officer, Tenable. “But it’s critical that organisations realise this emerging technology is potentially vulnerable and part of their expanding attack surface. Tenable Research continues to work with vendors such as Slack to disclose our discoveries to ensure consumers and organisations are secure.”