SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Slack users urged to update to prevent security vulnerability
Mon, 20th May 2019
FYI, this story is more than a year old

Businesses that use popular messaging platform Slack are being urged to update their Slack for Windows to version 3.4.0 immediately, after a security research team discovered a vulnerability that could potentially leak documents and compromise users' computers.

That vulnerability, according to researchers at Tenable, affects Slack Windows version 3.3.7. It could allow attackers change the location in which a user's files are stored, and it could also manipulate any future shared documents with malicious code.

Tenable explains further: “The vulnerability could have allowed an attacker to send a crafted hyperlink via a Slack message that, once clicked, changes the document download location path to an attacker-owned file share. By exploiting the flaw, an attacker can not only steal future documents downloaded within Slack, but they can also manipulate them, such as injecting malicious code that would compromise the victim's machine once opened.

“This technique could be unmasked by savvy Slack users, however if decades of phishing campaigns have taught us anything, it's that users click links, and when leveraged through an untrusted RSS feed, the impact can get much more interesting,” adds Tenable's David Wells.

“Furthermore, we could have easily manipulated the download item when we control the share it's uploaded to, meaning the Slack user that opens/executes the downloaded file will actually instead be interacting with our modified document/script/etc off the remote SMB share, the options from there on are endless.

Slack did its own investigations and found no evidence that the vulnerability was exploited, or that any users were impacted.

However, the vulnerability does prove that users should always be vigilant.

According to Tenable cofounder and chief technology officer Renaud Deraison, seamless connectivity has been born from the digital economy and the distributed workforce

“It's critical that organisations realise this emerging technology is potentially vulnerable and part of their expanding attack surface. Tenable Research continues to work with vendors such as Slack to disclose our discoveries to ensure consumers and organisations are secure.

Slack has released version 3.4.0 to address this vulnerability. Users are urged to confirm that their Slack for Windows is updated to this latest version.