sb-as logo
Story image

Slack users urged to update to prevent security vulnerability

20 May 2019

Businesses that use popular messaging platform Slack are being urged to update their Slack for Windows to version 3.4.0 immediately, after a security research team discovered a vulnerability that could potentially leak documents and compromise users’ computers.

That vulnerability, according to researchers at Tenable, affects Slack Windows version 3.3.7. It could allow attackers change the location in which a user’s files are stored, and it could also manipulate any future shared documents with malicious code.

Tenable explains further: “The vulnerability could have allowed an attacker to send a crafted hyperlink via a Slack message that, once clicked, changes the document download location path to an attacker-owned file share. By exploiting the flaw, an attacker can not only steal future documents downloaded within Slack, but they can also manipulate them, such as injecting malicious code that would compromise the victim’s machine once opened.”

“This technique could be unmasked by savvy Slack users, however if decades of phishing campaigns have taught us anything, it’s that users click links, and when leveraged through an untrusted RSS feed, the impact can get much more interesting,” adds Tenable’s David Wells.

“Furthermore, we could have easily manipulated the download item when we control the share it’s uploaded to, meaning the Slack user that opens/executes the downloaded file will actually instead be interacting with our modified document/script/etc off the remote SMB share, the options from there on are endless.”

Slack did its own investigations and found no evidence that the vulnerability was exploited, or that any users were impacted.

However, the vulnerability does prove that users should always be vigilant.

According to Tenable cofounder and chief technology officer Renaud Deraison, seamless connectivity has been born from the digital economy and the distributed workforce

“It’s critical that organisations realise this emerging technology is potentially vulnerable and part of their expanding attack surface. Tenable Research continues to work with vendors such as Slack to disclose our discoveries to ensure consumers and organisations are secure.”

Slack has released version 3.4.0 to address this vulnerability. Users are urged to confirm that their Slack for Windows is updated to this latest version.

Story image
Palo Alto Networks extends cloud native security platform with new modules
Palo Alto Networks has announced the availability of Prisma Cloud 2.0, including four new cloud security modules, thus extending its Cloud Native Security Platform (CNSP). More
Story image
Cisco report: Remote working is here to stay, making cybersecurity a top priority
"With this new way of working here to stay and organisations looking to increase their investment in cybersecurity, there’s a unique opportunity to transform the way we approach security as an industry to better meet the needs of our customers and end-users.”More
Story image
UiPath and eSentire bring hyperautomation to Microsoft Security
UiPath and eSentire have announced a strategic partnership to deliver end-to-end security policy automation across multiple Microsoft Security services.More
Story image
Why best-practice threat data management provides confident automation
Understanding an organisation’s threat landscape requires having both the right threat data sources and the proper prioritisation to derive actionable threat intelligence for your organisation. More
Story image
Experiencing ransomware significantly impacts cybersecurity approach
"The survey findings illustrate clearly the impact of these near-impossible demands. Among other things, those hit by ransomware were found to have severely undermined confidence in their own cyber threat awareness."More
Story image
IBM Security completes industry first with updates to Cloud Pak for Security solution
"With these updates, we will be the first in the industry to bring together external threat intelligence and threat management alongside data security and identity."More