Success here would require knowing which RSS feeds the target Slack user subscribes to, of course. Once posted to this subreddit, our test Slack channel (that is subscribed to this subreddit feed), is now populated with the new article entry and previews the text which includes the link.”
“I will drop an http link (because slack:// links are not allowed to be hyperlinked on Reddit) that will redirect to our malicious slack:// link and change settings when clicked. Here I could make a post to a very popular Reddit community that Slack users around the world are subscribed to (in this test case however, I chose a private one I owned),” Wells said. In the second scenario, an outsider could place crafted hyperlinks into pieces of content that could be pulled into a Slack channel via external RSS feeds. In the first scenario, an insider could exploit the vulnerability for corporate espionage, manipulation or to gain access to documents outside of their role or privilege level. “After setting up a remote SMB share, we could send users or channels a link that would redirect all downloads to it after they click the link.” Remote ExploitationĪn attack can be carried out by both authenticated and unauthenticated users, Wells said. “An SMB share, however, completely bypassed this sanitation as there is no root drive needed,” Wells explained. The Slack application filters certain characters out – including colons – so an attacker can’t supply a path with a drive root.
The reason it has to be an SMB share is because of a security check built into the platform. “This download path can be an attacker-owned SMB share, which would cause all future documents downloaded in Slack to be instantly uploaded to the attacker’s server.” “ the ‘slack://’ protocol handler, which has the capability to change sensitive settings in the Slack Desktop Application,” Wells said in a posting on Friday. Victims can still open the downloaded document through the application, however, that will be done from the attacker’s Server Message Block (SMB) share.
Nefarious types could redirect the files to their own SMB server and, they could manipulate the contents of those documents, altering information or injecting malware.Īccording to Tenable Research’s David Wells, who discovered the bug and reported it via the HackerOne bug-bounty platform, a download hijack vulnerability in Slack Desktop version 3.3.7 for Windows would allow an attacker to post a specially crafted hyperlink into a Slack channel that changes the document download location path when clicked. This package supports Python 3.6 and higher.A remotely exploitable vulnerability in the Windows desktop app version of the Slack collaboration platform has been uncovered, which allows attackers to alter where files from Slack are downloaded. The Python module documents are available at Installation ¶ Verify incoming requests from the Slack API servers.Ĭonstruct UI components using easy-to-use builders. Listen for incoming messages and a limited set of events happening in Slack, using WebSocket. Utilize the SCIM APIs for provisioning and managing user accounts and groups. Setup the authentication flow using V2 OAuth, OpenID Connect for Slack apps. Receive and send messages over Socket Mode connections. Send a message using Incoming Webhooks or response_url Send data to or query data from Slack using any of over 200 methods. They are small and powerful when used independently, and work seamlessly when used together, too. This SDK offers a corresponding package for each of Slack’s APIs. Each Slack API delivers part of the capabilities from the platform, so that you can pick just those that fit for your needs. The Slack platform offers several APIs to build apps.