ConclusionĮxploits like these are discovered every day. According to the company’s reporting on its own research, they find no evidence that the vulnerability has been exploited in the real world yet. Because Tenable reported the bug to Slack through HackerOne, Slack was able to address the vulnerability before it became publicly known. There’s more good news about this bug and associated exploit. More Good News: No Real-World Impact, Yet
IT Administrators looking to update a Microsoft Install deployment should check out these instructions provided by the Slack team. If you don’t have the access needed to update your application, contact IT right away. You can check yours by looking at the “About” window in the program.
All you need to do to protect yourself and your organization is ensure that anyone using Slack for Windows has updated to version 3.4.0 or later. The good news on this vulnerability is that Slack has already patched it. This means that this exploit is more or less limited to disgruntled channel members and attackers who’ve hacked or stolen a channel member’s credentials. You have to first be a member of the same channel. It’s difficult if not impossible to send a message to just anyone using Slack. Two, exploiting this vulnerability in a convincing way requires compromising the credentials of a Slack group member. If you don’t click the link, the attacker gets nothing. One, exploiting this vulnerability requires user involvement. We see two reasons the bug doesn’t score higher. The Danger LevelĪ bad actor gaining access to all downloaded documents isn’t good, of course, but how dangerous is this bug, actually? Tenable reports that it has scores 5.5 on the CVSSv2 scale, which is a medium score. Office warns users that downloaded files can be unsafe, but users will nearly always ignore this warning when they think they’ve downloaded a document from a trusted colleague. This is a real danger, because Office files are tossed around as attachments all the time. Lastly, an attacker with sufficient skill could inject malware into an Office file (like a Word document or Excel spreadsheet) using this exploit. Slack’s “Attachment” feature allows users to change the text that displays with a hyperlink, meaning the malicious link could be disguised as “Account Report 004.docx” or any number of realistic-looking files. The attack can also be hidden fairly well. The attacker would even be able to modify those files before the reviewer had a chance to open them. The result of that action would be that files downloaded from Slack would actually be saved to the attacker’s server. The powerful “slack://” protocol even allowed rerouting to an attacker-owned location. Attackers could abuse this protocol by creating a “slack://” link that reroutes the user’s download location. It even has the ability to modify sensitive application settings. Wells discovered that slack’s protocol handler, “slack://”, can do quite a bit.
Slack has since released that fix, but the segment of its 10 million active users that haven’t yet updated may remain vulnerable. Under the terms of this program, the bug was not disclosed publicly until Slack had the opportunity to release a fix. This program allows white hat hackers to receive financial compensation for disclosing previously unknown vulnerabilities so that companies can address them before serious damage is done. Wells discovered the Slack vulnerability and reported it via HackerOne’s bug bounty program.
Read on to learn more about this bug: how it was discovered, what it can do, and how to protect yourself. The bug affects version 3.3.7 of the Slack desktop app, which was just last week the most current version. On May 17, 2019, security firm Tenable announced that one of its researchers, David Wells, had discovered a Slack bug affecting Slack’s Windows desktop client.