DO YOU EXCHANGE confidential files alongside GIFs on Slack? If you do, you'll be relieved to hear that Slack has patched a bug in the Windows client that could have allowed malicious parties to send all your downloads to their own private server.
The bug was uncovered by Tenable - the cybersecurity firm, not the tremendously forgettable Warwick Davis quiz show - and showed how placing a malicious link in a Slack channel would, once clicked, change the download directory to a remote file server. Attackers could even insert malicious code infecting machines if they wished.
"The options are endless," the researchers wrote, with a touch of hyperbole given there's definitely an end to the options.
"This entire technique relied on how Slack treated clickable links and what was possible with certain slack:// links," the researchers wrote. With a little obfuscation, this could look like a regular link, which is quite possible for authenticated channel members.
The question you might have is how a non-authenticated hacker would get a malicious link into a Slack channel. If it's not private, then presumably any files aren't that secret, and if it is then it's only open to disgruntled employees. Not so: the researchers point out that plenty of Slack accounts have channels that draw in RSS feeds, so compromising the RSS would provide an access point. Though you'd have to really want to see an organisation's downloads to jump through all these hoops.
It's a moot point, anyway. When Tenable reported the bug to Slack, the company patched it out in version 3.4.0 with no suggestion that it had ever been exploited by nerdowells.
"Slack investigated and found no indication that this vulnerability was ever utilized, nor reports that its users were impacted," the company told Gizmodo. "As always, users are encouraged to [update] their apps and clients to the last available version." µ
Kitchen sink attachment unconfirmed
Move comes in retaliation to surveillance drone downing
My way or the Huawei