Slack has fixed a critical remote code execution (RCE) vulnerability in its desktop app which could have allowed a remote attacker to take control over the app and steal users' confidential information from the device.
The flaw in the popular collaboration app was discovered in January by an independent security researcher who reported it to Slack via the HackerOne bug bounty platform.
In his bug report, the Oskars Vegeris (who goes by the name "oskarsv" on HackerOne) warned that threat actors could create an exploit for this flaw to gain full remote control over the Slack desktop app and then enjoy access to private conversations, channels, passwords, keys and tokens, and various functions within the app.
Not only that, the attackers could also make their attack "wormable". In other words, if one member of a particular team got infected, their account would automatically re-share the payload to other members of the team.
He explained that to exploit the bug, an attacker would first need to upload a booby-trapped image with the RCE payload on their HTTPS-enabled server. Then, they could create a Slack post with an HTML injection containing the attack URL pointing to that payload.
Following that, the attacker would just need to share the post with a public Slack channel or user.
Once a user clicks on the booby-trapped image, the code will be executed on the victim's machine.
Vegeris said that Slack for desktop (4.2, 4.3.2) versions (Mac/Windows/Linux) were affected by the vulnerability.
While analysing weaknesses in Slack, Vegeris also discovered that emails, when sent as plaintext, are stored unfiltered on Slack servers. He warned that hackers could abuse this situation to store the RCE payload without requiring to own their own hosting.
"Since it's a trusted domain, it could contain a phishing page with a fake Slack login page or different arbitrary content which could impact both security and reputation of Slack," he said.
"There are no security headers or any restrictions at all as far as I could tell and I'm sure some other security impact could be demonstrated with enough time."
The primary aim of the campaign is to fund the North Korean government
More than 1,200 iOS apps use Mintegral's malicious SDK
The Lucifer malware infects machines and forms a botnet to mine cryptocurrency
Hackers are sending spam mails that purport to come from big defence contractors to trap potential targets
The vulnerabilities could allow threat actors to gain elevated privileges on a victim's machine