Software Bug Slack

On May 17, 2019, security firm Tenable announced that one of its researchers, David Wells, had discovered a Slack bug affecting Slack’s Windows desktop client. The bug affects version 3.3.7 of the Slack desktop app, which was just last week the most current version. Read on to learn more about this bug: how it was discovered, what it can do, and how to protect yourself.

Discovery and Reporting

Wells discovered the Slack vulnerability and reported it via HackerOne’s bug bounty program. This program allows white hat hackers to receive financial compensation for disclosing previously unknown vulnerabilities so that companies can address them before serious damage is done.

Under the terms of this program, the bug was not disclosed publicly until Slack had the opportunity to release a fix. Slack has since released that fix, but the segment of its 10 million active users that haven’t yet updated may remain vulnerable.

What the Bug Can Do

Wells discovered that slack’s protocol handler, “slack://”, can do quite a bit. It even has the ability to modify sensitive application settings. Attackers could abuse this protocol by creating a “slack://” link that reroutes the user’s download location. The powerful “slack://” protocol even allowed rerouting to an attacker-owned location.

The result of that action would be that files downloaded from Slack would actually be saved to the attacker’s server. The attacker would even be able to modify those files before the reviewer had a chance to open them.

The attack can also be hidden fairly well. Slack’s “Attachment” feature allows users to change the text that displays with a hyperlink, meaning the malicious link could be disguised as “Account Report 004.docx” or any number of realistic-looking files.

Lastly, an attacker with sufficient skill could inject malware into an Office file (like a Word document or Excel spreadsheet) using this exploit. This is a real danger, because Office files are tossed around as attachments all the time. Office warns users that downloaded files can be unsafe, but users will nearly always ignore this warning when they think they’ve downloaded a document from a trusted colleague.

The Danger Level

A bad actor gaining access to all downloaded documents isn’t good, of course, but how dangerous is this bug, actually? Tenable reports that it has scores 5.5 on the CVSSv2 scale, which is a medium score. We see two reasons the bug doesn’t score higher.

One, exploiting this vulnerability requires user involvement. If you don’t click the link, the attacker gets nothing.

Two, exploiting this vulnerability in a convincing way requires compromising the credentials of a Slack group member. It’s difficult if not impossible to send a message to just anyone using Slack. You have to first be a member of the same channel. This means that this exploit is more or less limited to disgruntled channel members and attackers who’ve hacked or stolen a channel member’s credentials.

How to Protect Yourself

The good news on this vulnerability is that Slack has already patched it. All you need to do to protect yourself and your organization is ensure that anyone using Slack for Windows has updated to version 3.4.0 or later. You can check yours by looking at the “About” window in the program. If you don’t have the access needed to update your application, contact IT right away.

IT Administrators looking to update a Microsoft Install deployment should check out these instructions provided by the Slack team.

More Good News: No Real-World Impact, Yet

There’s more good news about this bug and associated exploit. Because Tenable reported the bug to Slack through HackerOne, Slack was able to address the vulnerability before it became publicly known. According to the company’s reporting on its own research, they find no evidence that the vulnerability has been exploited in the real world yet.

Conclusion

Exploits like these are discovered every day. Are you protected? If you’re not sure, give us a call. We stay up to date and we keep our clients safe.

Know Someone Suffering From Bad IT Support?

Palindrome Consulting Wants To Help!

Palindrome Consulting
4.9
Based on 12 reviews
powered by Google
Elizabeth Mitrani
Elizabeth Mitrani
17:23 06 Aug 19
Palindrome Consulting was key in establishing my business and helps me keep it running. They are the consummate... professionals, incredibly knowledgeable and are always available to help. They have gone above and beyond to ensure that I was up and running quickly and that any issues that may arise on my end or dealt with immediately. I highly recommend Palindrome Consulting.read more
Moshe Rubinstein
Moshe Rubinstein
14:57 28 Jun 19
They are there every step of the way. Responsive and timely. The full service mentality mixed with the problem solving... abilities, is what makes them an easy choice.read more
Benjamin Wainberg
Benjamin Wainberg
14:09 28 Jun 19
Palindrome Consulting is customer centric. For Palindrome Data Safety is paramount; they keep their and our systems... updated with the newest technologies and are not shy at changing to better alternatives. Their platforms are always running and in the odd case there is an event, their technical team has an awesome response time.read more
Copier Man
Copier Man
13:56 28 Jun 19
We have been using Palindrome since 2005. They make my company feel like we are #1 all the time. Expert staff are... always available to help all my users all around the country.read more
Nelson T
Nelson T
20:32 25 Jun 19
Palindrome Consulting has proven itself time and time again to be the epitome of professionalism and technical... expertise. They take the time to listen to your needs and then apply their wealth of technical knowledge to create truly innovative and robust solutions. They truly deliver piece of mind.read more
Next Reviews
Palindrome Consulting