sb-au logo
Story image

Slack users urged to update to prevent security vulnerability

20 May 2019

Businesses that use popular messaging platform Slack are being urged to update their Slack for Windows to version 3.4.0 immediately, after a security research team discovered a vulnerability that could potentially leak documents and compromise users’ computers.

That vulnerability, according to researchers at Tenable, affects Slack Windows version 3.3.7. It could allow attackers change the location in which a user’s files are stored, and it could also manipulate any future shared documents with malicious code.

Tenable explains further: “The vulnerability could have allowed an attacker to send a crafted hyperlink via a Slack message that, once clicked, changes the document download location path to an attacker-owned file share. By exploiting the flaw, an attacker can not only steal future documents downloaded within Slack, but they can also manipulate them, such as injecting malicious code that would compromise the victim’s machine once opened.”

“This technique could be unmasked by savvy Slack users, however if decades of phishing campaigns have taught us anything, it’s that users click links, and when leveraged through an untrusted RSS feed, the impact can get much more interesting,” adds Tenable’s David Wells.

“Furthermore, we could have easily manipulated the download item when we control the share it’s uploaded to, meaning the Slack user that opens/executes the downloaded file will actually instead be interacting with our modified document/script/etc off the remote SMB share, the options from there on are endless.”

Slack did its own investigations and found no evidence that the vulnerability was exploited, or that any users were impacted.

However, the vulnerability does prove that users should always be vigilant.

According to Tenable cofounder and chief technology officer Renaud Deraison, seamless connectivity has been born from the digital economy and the distributed workforce

“It’s critical that organisations realise this emerging technology is potentially vulnerable and part of their expanding attack surface. Tenable Research continues to work with vendors such as Slack to disclose our discoveries to ensure consumers and organisations are secure.”

Slack has released version 3.4.0 to address this vulnerability. Users are urged to confirm that their Slack for Windows is updated to this latest version.

Story image
Mentorship key to bringing women into cybersecurity - Microsoft
“Diverse teams make better and faster decisions 87% of the time compared with all male teams, yet the actual number of women in our field fluctuates between 10 and 20%. What ideas have we missed by not including more women?”More
Story image
How our publisher harnessed machine learning to overhaul Techday websites
Our publisher, Sean Mitchell, went to CoderSchool in Ho Chi Minh City to learn how to implement machine learning into Techday.More
Story image
Kaspersky announces update to Microsoft Office 365 security solution as COVID-19 threats emerge
The upgrade introduces enhanced anti-phishing capabilities with a dedicated anti-spoofing feature, as well as bolstered protection within Microsoft Teams.More
Story image
80% of cyber threat landscape uses COVID-19 as leverage - report
A report released recently by Proofpoint reveals the extent to which cyber attackers are capitalising on fear and paranoia surrounding the pandemic, with instances of coronavirus-themed attacks increasing every day.More
Story image
Interview: Barracuda decision-makers discuss public cloud security
Last month, Barracuda released a report outlining the security barriers organisations must overcome to adopt the public cloud, as studies reveal that security was the top concern for such organisations.More
Story image
IT pros fear threats to critical infrastructure, report shows
IT professionals are concerned about operational technology (OT) security and attacks on critical infrastructure, with a number of people saying the responsibility lies with government, according to a new report.More