Slack users have been warned to take extra care when using the online collaboration service after researchers uncovered worrying security risks.
According to an AT&T AlienLabs report, incoming ‘webhooks’, which are used to connect from third-party apps to post messages on Slack, can be hijacked to carry out phishing attacks.
A compromised webhook not only allows unauthorized users to send messages to all the Slack channels, but it can also alter channel posting permissions.
Since webhooks cannot carry data themselves, hackers could easily exploit these vulnerabilities to con Slack users into installing malicious apps, allowing a potential entry route to steal data from their workspace.
The researchers showed how a simple application created with the aim to phish data can be shared via spam messages to multiple Slack channels. Once a user installs the malicious application, it can then easily exfiltrate data and send it back to the hackers.
Also, once a malicious app is installed on a system, it can be used to send messages on behalf of the user, making other contacts believe the app to be trustworthy.
Since Slack allows users to install third-party apps to use in conjunction with the platform by default, the researchers recommend that workspace owners should restrict users from installing third-party apps using Slack’s inbuilt whitelisting options in order to mitigate the threat.
Mandatory approval by Admins before downloading and installing applications that have not gone through Slack’s security review process is also recommended to limit any potential threats.
Monitoring data with the help of security analytics platforms can also raise an alarm if:
- Multiple users install the same app in a short period of time
- Installation of applications using high-risk scopes
- Detection of app_scopes_expanded when a previously installed app requires new scopes
- Detection of uncommon calls that could be used for data exfiltration such as manual_export_started, an action that exports workspace data
Experts also suggest that Slack should by default limit the functionalities of applications that are not reviewed, and that incoming webhooks should be allowed to work in the defined channel.
In response to the findings Slack has said that, “We proactively scrape GitHub for publicly exposed webhooks and invalidate them. Webhooks are safe as long as they remain secret since the webhook URL itself is unguessable. We allow teams to require admin approvals on all apps, and recommend they establish and follow basic security diligence procedures before permitting apps to be added into a workspace.”
It advised users to “establish and follow basic security diligence procedures before permitting apps to be added into a workspace.”
Via: AT&T AlienLabs