时间:2026-07-11 15:48:10 来源:网络整理编辑:熱點
A security researcher has uncovered a flaw in Slack that could've been exploited to steal files over
A security researcher has uncovered a flaw in Slack that could've been exploited to steal files over the business messaging app and potentially spread malware.
The flaw involves Slack's Windows desktop app, and how it can automatically send downloaded files to a certain destination—whether it be on your PC or to an online storage server. You can set a download location in the app's preferences section. However, David Wells, a researcher at the security firm Tenable, noticed there's another way to configure the option: Via a special link.
"Crafting a link like 'slack://settings/?update={ 'PrefSSBFileDownloadPath':
Wells realized the same function could be abused. Imagine a hacker using the links to secretly reconfigure a Slack desktop app to send all downloaded files to an outside server. "Using this attack vector, an insider could exploit this vulnerability for corporate espionage, manipulation, or to gain access to documents outside of their purview," Well's security firm Tenable said in a separate report.
Credit: david wells / medium / screenshotThe vulnerability can also pave the way for potential malware infections. Any downloaded files sent to the hacker-controller server can be altered and booby-trapped to include malicious code. The attack will commence once the victim opens the file on the Slack desktop app.
The main obstacle of carrying out this attack is circulating the hacker-created links to people on Slack, which keeps its channels private to paying clients and their companies. To pull this off, Wells noticed how Slack channels can be configured to subscribe to RSS feeds, including threads on Reddit.
"I could make a post to a very popular Reddit community that Slack users around the world are subscribed to," Wells said. The hacker-created link will then populate inside the Slack channel and possibly attract some clicks.
"This technique could be unmasked by savvy Slack users, however if decades of phishing campaigns have taught us anything, it's that users click links, and when leveraged through an untrusted RSS feed, the impact can get much more interesting," he added.
Slack has patched the flaw in version 3.4.0 of the Windows desktop app. "We investigated and found no indication that this vulnerability was ever utilized, nor reports that our users were impacted," the company said in an email.
Make money or go to Stanford? Katie Ledecky is left with an unfair choice.2026-07-11 15:45
曝拜仁簽阿賈克斯飛翼達協議 兩大巴西國腳選其一2026-07-11 15:21
2021年度射手榜:萊萬多數據製霸 梅西歐戰吃大虧2026-07-11 14:47
尤文願8500萬歐出售德裏赫特 拜仁藍軍領跑爭奪戰2026-07-11 14:43
One of the most controversial power struggles in media comes to a close2026-07-11 14:19
體壇午飯:爭四狂魔阿森納歸來 重回主流豪門序列 ?2026-07-11 14:07
日媒評2021亞洲最佳陣:日本5將韓國僅孫興慜 無武磊2026-07-11 14:02
腦洞大開!C羅自薦巴薩 想租梅西豪宅因有7座金球2026-07-11 13:52
Researchers create temporary tattoos you can use to control your devices2026-07-11 13:44
滄州VS大連人首發 :奧斯卡PK博阿滕 拉爾森出戰2026-07-11 13:01
You can now play 'Solitaire' and 'Tic2026-07-11 15:30
C羅社媒發合影慶賀弗格森80歲大壽:爵爺生日快樂2026-07-11 15:28
奧斯卡發文慶祝助攻數超越100 感謝球隊每個成員支持(圖)2026-07-11 15:25
津媒:困獸猶鬥戰況激烈 中超保級形勢錯綜複雜2026-07-11 15:23
Hiddleswift finally followed each other on Instagram after 3 excruciating days2026-07-11 15:16
曼城前瞻 :藍月衝頂級聯賽神紀錄 斯特林期待5連斬2026-07-11 14:34
太戲劇!津門虎補時絕殺搶回保級主動權 下輪贏球就能回家2026-07-11 14:23
年度20佳進球:希克歐洲杯驚天吊射 林皇單騎闖關2026-07-11 14:21
How Hyperloop One went off the rails2026-07-11 14:11
中超保級形勢突變 津門虎重慶大連人最後一輪生死戰2026-07-11 13:30