Serviceteam IT Security News

Slack users have been urged to upgrade their applications and clients to the most recent version, 3.4.0, after Tenable researcher David Wells discovered a new vulnerability that would allow an attacker to share malicious hyperlinks that could alter where a victim’s files were stored.

Wells discovered a download hijack vulnerability in Slack Desktop version 3.3.7 for Windows. “This vulnerability, which has been patched, would have allowed an attacker to post a crafted hyperlink into a Slack channel or private conversation that changes the document download location path when clicked. It does require user interaction to exploit, giving it a CVSSv2 score of 5.5 (Medium),” today’s press release said.

If users click on the link, an attacker could not only steal future documents downloaded within Slack but also manipulate them, such as injecting malicious code that would compromise the victim’s machine once opened, according to Wells.

The attack reportedly can be performed through any Slack direct messaging or Slack channel to which an attacker might be authenticated.

“Using this attack vector, an insider could exploit this vulnerability for corporate espionage, manipulation, or to gain access to documents outside of their purview,” which Wells discusses in depth in his blog post.

The flaw was found in the Slack desktop application for Windows version 3.3.7, which Tenable reported to Slack via HackerOne. “Slack patched the bug as part of its latest update for Slack Desktop Application for Windows, v3.4.0. Slack investigated and found no indication that this vulnerability was ever utilized, nor reports that its users were impacted. As always, users are encouraged to upgrade their apps and clients to the latest available version,” a Slack spokesperson said.

“The digital economy and global distributed workforce have brought new technologies to market with the ultimate goal of seamless connectivity,” said Renaud Deraison, co-founder and chief technology officer, Tenable. “But it’s critical that organizations realize this emerging technology is potentially vulnerable and part of their expanding attack surface. Tenable Research continues to work with vendors such as Slack to disclose our discoveries to ensure consumers and organizations are secure.”

Source: Infosecurity Magazine

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!