Get in touch with us today to find out how can we help you.
On May 17, 2019, security firm Tenableย announcedย that one of its researchers, David Wells, had discovered a Slack bug affecting Slackโs Windows desktop client. The bug affects version 3.3.7 of the Slack desktop app, which was just last week the most current version. Read on to learn more about this bug: how it was discovered, what it can do, and how to protect yourself.
Discovery and Reporting
Wells discovered the Slack vulnerability and reported it via HackerOneโs bug bounty program. This program allows white hat hackers to receive financial compensation for disclosing previously unknown vulnerabilities so that companies can address them before serious damage is done.
Under the terms of this program, the bug was not disclosed publicly until Slack had the opportunity to release a fix. Slack has since released that fix, but the segment of its 10 million active users that havenโt yet updated may remain vulnerable.
What the Bug Can Do
Wells discovered that slackโs protocol handler, โslack://โ, can do quite a bit. It even has the ability to modify sensitive application settings. Attackers could abuse this protocol by creating a โslack://โ link that reroutes the userโs download location. The powerful โslack://โ protocol even allowed rerouting to an attacker-owned location.
The result of that action would be that files downloaded from Slack would actually be saved to the attackerโs server. The attacker would even be able to modify those files before the reviewer had a chance to open them.
The attack can also be hidden fairly well. Slackโs โAttachmentโ feature allows users to change the text that displays with a hyperlink, meaning the malicious link could be disguised as โAccount Report 004.docxโ or any number of realistic-looking files.
Lastly, an attacker with sufficient skill could inject malware into an Office file (like a Word document or Excel spreadsheet) using this exploit. This is a real danger, because Office files are tossed around as attachments all the time. Office warns users that downloaded files can be unsafe, but users will nearly always ignore this warning when they think theyโve downloaded a document from a trusted colleague.
The Danger Level
A bad actor gaining access to all downloaded documents isnโt good, of course, but how dangerous is this bug, actually? Tenable reports that it has scores 5.5 on the CVSSv2 scale, which is a medium score. We see two reasons the bug doesnโt score higher.
One, exploiting this vulnerability requires user involvement. If you donโt click the link, the attacker gets nothing.
Two, exploiting this vulnerability in a convincing way requires compromising the credentials of a Slack group member. Itโs difficult if not impossible to send a message to just anyone using Slack. You have to first be a member of the same channel. This means that this exploit is more or less limited to disgruntled channel members and attackers whoโve hacked or stolen a channel memberโs credentials.
How to Protect Yourself
The good news on this vulnerability is that Slack has already patched it. All you need to do to protect yourself and your organization is ensure that anyone using Slack for Windows has updated to version 3.4.0 or later. You can check yours by looking at the โAboutโ window in the program. If you donโt have the access needed to update your application, contact IT right away.
IT Administrators looking to update a Microsoft Install deployment should check outย these instructionsย provided by the Slack team.
More Good News: No Real-World Impact, Yet
Thereโs more good news about this bug and associated exploit. Because Tenable reported the bug to Slack through HackerOne, Slack was able to address the vulnerability before it became publicly known. According to the companyโs reporting on its own research, they find no evidence that the vulnerability has been exploited in the real world yet.
Conclusion
Exploits like these are discovered every day. Are you protected? If youโre not sure, give us a call. We stay up to date and we keep our clients safe.
Further reading
ICS is a Texas-based 40-year-old technology company specializing in Managed IT, VoIP, Video Conferencing and Video Surveillance solutions for US and International businesses. ICS has over 4000 regional installations and specializes in multi-site businesses between 25 and 2500 employees. ICS’s customers enjoy the experience of ICS’s Total Care program which provides clients flat fee services with obsolescence and growth protection. Whether a customer elects to deploy their IT, Video Conferencing or VoIP in the cloud or on the customer’s premise, ICS can provide a full turn-key solution for our clients under one flat monthly fee.