Connect with us

Hi, what are you looking for?


Cloud Security

Attackers Can Use Modified Wikipedia Pages to Mount Redirection Attacks on Slack

Researchers document the Wiki-Slack attack, a new technique that uses modified Wikipedia pages to target end users on Slack.

Security researchers at eSentire are calling attention to a new method that attackers can use to redirect business professionals to malicious websites.

Described as the Wiki-Slack attack, the new technique uses modified Wikipedia pages and relies on a formatting error when the page is rendered in Slack.

To mount the attack, a threat actor would first need to select a Wikipedia article that might be of interest to an intended target, then modify it to add a legitimate footnote at the end of the first paragraph, and then share the article in Slack.

While the footnote itself is not malicious, the way Slack formats the shared page’s preview results in a link that is not visible on Wikipedia being rendered in the collaboration solution.

“Once a business professional copies and pastes that Wikipedia entry in a Slack channel, the malicious link is rendered. If the grammar around the link is crafted well enough, Slack users are enticed to click it, leading them to an attacker-controlled website where browser-based malware lays in wait,” eSentire said in a note documenting the issue.

In addition to the reference at the end of the Wikipedia article’s first paragraph, the Wiki-Slack attack also requires that the first word of the second paragraph is a top-level domain (TLD) and that the two conditions appear in the first 100 words of the article.

“This will cause Slack to mishandle the whitespace between the first and second paragraph, spontaneously generating a new link in Slack,” the researchers said.

The attack is essentially a numbers game, meaning that the attacker needs to modify as many Wikipedia pages as they can and register domains for them, to ensure they can eventually infect a target of interest.

Advertisement. Scroll to continue reading.

Furthermore, eSentire warns that the attacker could leverage Wikipedia statistics to identify pages that generate high traffic and abuse those to mount the Wiki-Slack attack, the researchers note.

To increase their chances of success, prior to mounting the attack, a threat actor can perform background research on the target, ensuring they use Slack, and can leverage ChatGPT or a similar Large Language Model (LLM) to scale the attack, eSentire points out.

A similar technique can be used with Medium articles as well, but using Wikipedia pages, which are more trusted than the author-controlled Medium blogs, has higher changes of success, the researchers noted.

To prevent such attacks, organizations are advised to raise awareness around browser-based attacks leading to malware infections, employ endpoint monitoring, and build cyber resilience into their processes. eSentire says it has reported the identified issues to Slack.

Related: US Government Releases Anti-Phishing Guidance

Related: US Executives Targeted in Phishing Attacks Exploiting Indeed Platform Flaw

Related: Google AMP Abused in Phishing Attacks Aimed at Enterprise Users

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.