The hyperlink text can be masqueraded by using the "attachment" feature in Slack, which allows an attacker to replace the hyperlink’s actual uniform resource identifier with any custom text, possibly fooling users into clicking. The attacker could also manipulate the contents of the documents after download before the victim opens them. This download path can be an attacker-owned SMB share, which would cause all future documents downloaded in Slack to be instantly uploaded to the attacker's server. A crafted link like “slack://settings/?update=” will change the default download location. AnalysisĪn attacker can abuse the "slack://" protocol handler, which has the capability to change sensitive settings in the Slack Desktop Application. We cannot confirm how many of those are Windows App users.
Slack has 10 million active users every day and 85,000 organizations use the paid version. It does require user interaction to exploit, giving it a CVSSv2 score of 5.5 (Medium).
This vulnerability, which has been patched, would have allowed an attacker to post a crafted hyperlink into a Slack channel or private conversation that changes the document download location path when clicked. Tenable Research discovered a download hijack vulnerability in Slack Desktop version 3.3.7 for Windows. Users should ensure their Slack desktop application is up to date. Tenable worked with Slack via HackerOne based on our coordinated disclosure policy and Slack has since released a new version of its Windows desktop client to address this vulnerability. Tenable Researcher David Wells discovered a vulnerability in Slack Desktop for Windows that could have allowed an attacker to alter where files downloaded within Slack are stored.
0 kommentar(er)
