Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Slack Flaw Allows Hackers to Steal, Manipulate Downloads

A recently patched vulnerability in the Slack desktop application for Windows can be exploited by malicious actors to steal and manipulate a targeted user’s downloaded files.

A recently patched vulnerability in the Slack desktop application for Windows can be exploited by malicious actors to steal and manipulate a targeted user’s downloaded files.

David Wells, a researcher at Tenable, discovered that version 3.3.7 of the Slack desktop app is affected by a download hijacking vulnerability that can be exploited by getting the targeted user to click on a specially crafted link pasted into a Slack channel. The security hole was patched by Slack with the release of version 3.4.0.

Wells found that slack:// links can be used to change the location where a user’s files are downloaded using the PrefSSBFileDownloadPath setting. An attacker could create a link that, when clicked, changes the targeted user’s download destination to a path specified by the attacker, including a remote SMB share.

The link, which can be set up to look as if it points to a trusted website, would look something like this:

slack://settings/?update={‘PrefSSBFileDownloadPath’:’<newDownloadLocation>’}

After the victim clicks the link, all the files they download in the future will go to the location specified by the attacker. Furthermore, Wells found that an attacker could manipulate the downloaded file stored in the location they control and it would be opened from there when accessed by the user.

Advertisement. Scroll to continue reading.

For instance, an attacker can modify financial documents downloaded by the victim, or inject malware into downloaded Office files.

Slack download hijacking vulnerability

The specially crafted links that change the download location can be pasted to a Slack channel or a private conversation to which the attacker has access. This means that the vulnerability would mostly be useful to malicious insiders or attackers who already have access to the targeted organization’s Slack workspace.

However, Wells also discovered that an unauthenticated attacker can change the location of downloaded files using RSS feeds, which can be used to fetch data from third-party websites to Slack channels.

If the hacker can get the targeted user to click on a specially crafted RSS feed link posted anywhere on the web, the download location can be changed even if the attacker does not have access to the victim’s Slack workspace.

“This attack could be launched by someone outside of the organization but there are variables that might reduce the chances of success, like knowing which .rss feeds the target Slack subscribes to,” Tenable explained.

Since exploitation of the vulnerability requires user interaction and, in some cases, authentication, it has been classified as “medium severity.” Slack paid out a $500 bounty to the researcher who discovered the flaw.

The issue was reported to Slack via HackerOne on February 15 and it was patched with the release of version 3.4.0 on April 22. Some Slack installations are automatically updated, but users concerned that this vulnerability may be exploited against them should ensure that they are running the latest version.

Related: Slack Lists Cybersecurity Risks Ahead of Going Public

Related: Slack, GitHub Abused by New SLUB Backdoor in Targeted Attacks

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

Mark Carter has been appointed Chief Information Security Officer at Socure.

Spektrum Labs has named Mark Cravotta Chief Operating Officer.

More People On The Move

Expert Insights

Four decades of incident response experience suggest that exploits are often the symptom, not the root cause, of today’s cybersecurity failures.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.