Slack Bug Allows Remote Malware Injection

Walden Systems Geeks Corner News Slack Bug Allows Remote Malware Injection Rutherford NJ New Jersey NYC New York City North Bergen County
CielView-Server minimizes redundancy in computing resources while allowing users remote desktop access to virtualized user Desktops. CielView-Desktop provides customized solutions to each user in an organization

A vulnerability in the Windows desktop app version of Slack collaboration platform has been found which allows hackers to change where files from Slack are downloaded. Hackers could redirect the files to their own SMB server and, they could manipulate the contents of those documents, altering information or injecting malware.

Tenable Research's David Wells discovered the bug and reported it via the HackerOne bug-bounty platform. A download hijack vulnerability in Slack Desktop version 3.3.7 for Windows would allow a hacker to post a specially crafted hyperlink into a Slack channel that changes the document download location path when clicked. Victims can still open the downloaded document through the application. That will be done from the Hackers Server Message Block, or SMB, share. The issue exists in] the slack:// protocol handler, which has the capability to change sensitive settings in the Slack Desktop Application. This download path can be a hacker owned SMB share, which would cause all future documents downloaded in Slack to be instantly uploaded to the attacker’s server.


The reason it has to be an SMB share is because of a security check built into the platform. The Slack application filters certain characters out, including colons, so a hacker can't supply a path with a drive root. An SMB share, however, completely bypassed this sanitation as there is no root drive needed. After setting up a remote SMB share, we could send users or channels a link that would redirect all downloads to it after they click the link.

An attack can be carried out by both authenticated and unauthenticated users. In the first scenario, an insider could exploit the vulnerability for corporate espionage, manipulation or to gain access to documents outside of their role or privilege level. In the second scenario, an outsider could place crafted hyperlinks into pieces of content that could be pulled into a Slack channel via external RSS feeds.

In addition to being a data leak concern, the vulnerability could be used as a starting point for broader attacks. If an Office Document is downloaded, the hacker's server could inject malware into it, so that when opened, the victim machine is compromised. The Slack user that opens or executes the downloaded file will actually instead be interacting with the modified document/script/etc off the remote SMB share. The options from there on are endless.

Because it does require user interaction, it is considered a medium vulnerability and earns a rating of 5.5. However, attackers can use a spoofing technique to mask the malicious URL behind a fake address, like http://google.com, to give it more legitimacy and convince a Slack user to click on the link. It is possible to link to words within Slack by adding an attachment field to a Slack POST request with appropriate fields. The hyperlink text can be masqueraded by using the attachment feature in Slack, which allows a hacker to replace the hyperlink's actual uniform resource identifier with any custom text, possibly fooling users into clicking.

Slack has 10 million active daily users, and 85,000 organizations use the paid version. Slack patched the bug as part of its latest update for Slack Desktop Application for Windows, v3.4.0, so users should upgrade their apps and clients.