Slack vulnerability allows attackers to intercept, modify downloads

guest · May 17, 2019

Slack vulnerability allows attackers to intercept, modify downloads
Improper handling of a custom URI created a vulnerability, now patched, for users of the Electron-based Slack Desktop client on Windows
May 17, 2019
https://www.techrepublic.com/articl...lows-attackers-to-intercept-modify-downloads/

A vulnerability in the Slack Desktop client on Windows allowing malicious actors to steal or manipulate downloads from users was discovered by security research firm Tenable, due to a fault in the way Slack treats clickable links, and how the slack:// URI works.

The vulnerability "could allow a remote attacker to submit a masqueraded link in a slack channel, that 'if clicked' by a victim, would silently change the download location setting of the slack client to an attacker owned SMB share," Tenable researcher David Wells wrote in a Tuesday blog post.

Wells also notes that the vulnerability can be used by malicious actors who are not members of a particular channel through the use of RSS feeds, which can be broadcast in a channel, containing links.
Click to expand...

Gizmodo: Slack Kills Scary Bug

Wells notes that security-conscious users would be unlikely to click on such a link. It can be obscured, however, using Slack’s attachments feature, which allows for a text hyperlink. The linked text can even be modified, making it appear as it leads to another domain, such as google.com. [...]
Click to expand...

Log in or Sign up

Slack vulnerability allows attackers to intercept, modify downloads

guest Guest

Log in or Sign up

Slack vulnerability allows attackers to intercept, modify downloads

guest Guest

Useful Searches