时间:2024-09-20 09:04:33 来源:网络整理编辑:熱點
A security researcher has uncovered a flaw in Slack that could've been exploited to steal files over
A security researcher has uncovered a flaw in Slack that could've been exploited to steal files over the business messaging app and potentially spread malware.
The flaw involves Slack's Windows desktop app, and how it can automatically send downloaded files to a certain destination—whether it be on your PC or to an online storage server. You can set a download location in the app's preferences section. However, David Wells, a researcher at the security firm Tenable, noticed there's another way to configure the option: Via a special link.
"Crafting a link like 'slack://settings/?update={ 'PrefSSBFileDownloadPath':
Wells realized the same function could be abused. Imagine a hacker using the links to secretly reconfigure a Slack desktop app to send all downloaded files to an outside server. "Using this attack vector, an insider could exploit this vulnerability for corporate espionage, manipulation, or to gain access to documents outside of their purview," Well's security firm Tenable said in a separate report.
The vulnerability can also pave the way for potential malware infections. Any downloaded files sent to the hacker-controller server can be altered and booby-trapped to include malicious code. The attack will commence once the victim opens the file on the Slack desktop app.
The main obstacle of carrying out this attack is circulating the hacker-created links to people on Slack, which keeps its channels private to paying clients and their companies. To pull this off, Wells noticed how Slack channels can be configured to subscribe to RSS feeds, including threads on Reddit.
"I could make a post to a very popular Reddit community that Slack users around the world are subscribed to," Wells said. The hacker-created link will then populate inside the Slack channel and possibly attract some clicks.
"This technique could be unmasked by savvy Slack users, however if decades of phishing campaigns have taught us anything, it's that users click links, and when leveraged through an untrusted RSS feed, the impact can get much more interesting," he added.
Slack has patched the flaw in version 3.4.0 of the Windows desktop app. "We investigated and found no indication that this vulnerability was ever utilized, nor reports that our users were impacted," the company said in an email.
Dramatic photo captures nun texting friends after Italy earthquake2024-09-20 08:51
男性吃壯陽有什麽危害2024-09-20 08:40
黃豆頸椎枕的最佳尺寸2024-09-20 08:28
自製青梅酒的危害有哪些?2024-09-20 08:14
Xiaomi accused of copying again, this time by Jawbone2024-09-20 08:13
參芪扶正適用哪些病症2024-09-20 07:31
剖腹產懷二胎時刀疤疼2024-09-20 07:26
能降血糖的食物有哪些2024-09-20 06:59
Felix the cat just raised £5000 for charity because she's the hero we all need2024-09-20 06:50
柿餅和橘子能一起吃嗎2024-09-20 06:20
Tributes flow after death of former Singapore president S.R. Nathan2024-09-20 08:43
兒童洗牙的危害有哪些2024-09-20 08:20
小孩可以做的簡單甜品2024-09-20 07:28
女人排卵期是什麽時候開始2024-09-20 07:23
This German startup wants to be your bank (without being a bank)2024-09-20 07:01
吃什麽食物能治療早射2024-09-20 06:59
怎樣才能提高免疫力和抵抗力?2024-09-20 06:48
小孩晚上鼻塞白天又沒事兒2024-09-20 06:36
Carlos Beltran made a very interesting hair choice2024-09-20 06:28
重組牛堿生長因子危害2024-09-20 06:22