Andrei - stock.adobe.com
Coronavirus: Researcher finds security vulnerability in Slack
Some common assumptions about the security of cloud-based messaging platform Slack may not be entirely accurate, says an Alien Labs researcher
The security risks associated with unified communications and collaboration (UCC) application Zoom have become one of the big stories of the Covid-19 coronavirus pandemic, but other UCC platforms are not immune from problems. According to AT&T’s Alien Labs, a vulnerability in cloud-native messaging service Slack could leave meetings open to disruption by malicious actors.
The vulnerability centres on Slack’s incoming webhooks, which let users post messages from various applications to Slack. If the user specifies a unique URL, a message body text and a destination channel, they can send a message to any webhook that they know the URL of in any workspace, regardless of their membership.
The Slack vulnerability was uncovered by Alien Labs cloud security researcher Ashley Graves, who said that although webhooks are considered a low-risk integration – the user must select a target channel, which reduces the scope of abuse, the webhook URL is secret, and webhooks only accept data, so cannot, on their own, expose data – this is not entirely accurate.
In a disclosure blog, Graves said a channel override could enable a malicious user to override the previously specified webhook target channel by adding the “channel” key to their JSON payload.
“If you gain access to a webhook for one channel, you can use it in others,” she wrote. “Considering sending to #general, #engineering and other default or common channels to target a wider audience.” Graves added that in some cases, this could override channel posting permissions – like admin-only posting.
“Slack documentation suggests that allowed target channels are based on the original creator of the webhook,” she said. “So if you can find a webhook created by an admin – congrats, you can post to admin channels.”
Graves said a quick scan of GitHub had thrown up more than 130,000 public code results that contained Slack webhook URLs, most of them containing the full unique value.
This puts organisations at risk of targeted phishing attacks. In such a scenario, an attacker would take these leaked URLs, create a malicious Slack app and allow its public installation, bombard the leaked webhooks with malicious messages, then track who installed the malicious application and use it to exfiltrate their data.
Security teams can mitigate this possibility today by activating options within Slack that let them manage users’ Slack applications by whitelisting them and requiring any new ones to go through Slack’s own app security review process before approval.
For the most sensitive environments, an administrator should be tasked with reviewing and approving new apps before installation, which is particularly important in organisations seeking to optimise their General Data Protection Regulation (GDPR) compliance.
Read more about Slack
- Deeper integrations with business applications and data residency support are part of Slack’s broader strategy to penetrate deeper into the enterprise.
- Slack introduced several features that make its app look more like Microsoft Teams, which now has 44 million daily active users.
- Slack and Zoom may eventually bundle their products to provide discounts to customers considering or already using all-in-one suites such as Office 365, analysts predict.
The use of additional security analytics capabilities will also add an extra defensive layer, said Graves, allowing security teams to spot events such as multiple people installing the same app in a short period of time, installation of apps using high-risk scopes, and uncommon calls that could be used for data exfiltration.
A Slack spokesperson responded to the disclosure, saying: “Webhooks are credential tools that provide access to posting functionality within a workspace. Though data cannot be exposed through webhooks on Slack, we do recommend that workspace owners or admins invalidate publicly exposed webhook URLs and generate new ones.
“To help Slack admins with that diligence, we proactively scrape GitHub for publicly exposed webhooks and invalidate them. Webhooks are safe as long as they remain secret since the webhook URL itself is unguessable. We also recommend workspace owners and admins use these best practices for storing credentials safely and that they review this guide to sending messages using incoming webhooks.”
Slack reiterated that it provides further features to enable security teams to conduct effective oversight of app installation and use within workspaces, as recommended by Graves.
The full disclosure blog, containing further information on malicious Slack applications, can be found here.