Slack fixes bug that could have let hackers intercept downloads

Sponsored Links

Chesnot via Getty Images

Slack has fixed a bug that could have allowed hackers to intercept and redirect downloads in the Windows desktop version of the messaging app. However, it seems no Slack users were affected before the service fixed the vulnerability.

A researcher with cybersecurity firm Tenable found that hackers could have placed a malicious link in a Slack channel that, when clicked, would have allowed them to redirect a user’s downloads to a file server belonging to the attacker. From there, the attacker obviously could have stolen the document. Since many workplaces use Slack in place of email, it seems inevitable that files with sensitive data change hands through the service.

Attackers could even have “inserted malicious code in [a document] so that when opened by victim after download [by clicking on them in Slack], their machine would have been infected,” Tenable researcher David Wells, who discovered the bug, wrote. “The options from there on are endless.”

As Wells suggests, a hacker might have been able to place a malicious link in a Slack channel using RSS feeds, which Slack users can add to channels. Hackers would have also been able to mask malicious links so they looked like URLs to legitimate websites.

Tenable reported the bug to Slack and it was patched in version 3.4.0 of the Windows app. “Slack investigated and found no indication that this vulnerability was ever utilized, nor reports that its users were impacted,” Slack told Gizmodo. “As always, users are encouraged to [update] their apps and clients to the last available version.”

Via: Gizmodo
Source: Tenable (1), (2)
In this article: bug, gear, messaging, privacy, security, slack, windows
All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.

What do you think?

Warning: explode() expects parameter 2 to be string, array given in /home/erbilia/public_html/wp-content/plugins/snax/includes/votes/template.php on line 43

Warning: array_merge(): Argument #2 is not an array in /home/erbilia/public_html/wp-content/plugins/snax/includes/votes/template.php on line 43
0 points
Upvote Downvote

Written by erbilia

Amazon now sells flight tickets in India

Alphabet’s Wing drone deliveries are coming to Finland next month

Back to Top

Log In

Forgot password?

Forgot password?

Enter your account data and we will send you a link to reset your password.

Your password reset link appears to be invalid or expired.

Log in

Privacy Policy

To use social login you have to agree with the storage and handling of your data by this website. %privacy_policy%

Hey Friend! Before You Go…

Get the best viral stories straight into your inbox before everyone else!

Don't worry, we don't spam