CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Slack Flaw Allows Hackers to Steal, Manipulate Downloads

A recently patched vulnerability in the Slack desktop application for Windows can be exploited by malicious actors to steal and manipulate a targeted user’s downloaded files.

A recently patched vulnerability in the Slack desktop application for Windows can be exploited by malicious actors to steal and manipulate a targeted user’s downloaded files.

David Wells, a researcher at Tenable, discovered that version 3.3.7 of the Slack desktop app is affected by a download hijacking vulnerability that can be exploited by getting the targeted user to click on a specially crafted link pasted into a Slack channel. The security hole was patched by Slack with the release of version 3.4.0.

Wells found that slack:// links can be used to change the location where a user’s files are downloaded using the PrefSSBFileDownloadPath setting. An attacker could create a link that, when clicked, changes the targeted user’s download destination to a path specified by the attacker, including a remote SMB share.

The link, which can be set up to look as if it points to a trusted website, would look something like this:

slack://settings/?update={‘PrefSSBFileDownloadPath’:’<newDownloadLocation>’}

After the victim clicks the link, all the files they download in the future will go to the location specified by the attacker. Furthermore, Wells found that an attacker could manipulate the downloaded file stored in the location they control and it would be opened from there when accessed by the user.

For instance, an attacker can modify financial documents downloaded by the victim, or inject malware into downloaded Office files.

Slack download hijacking vulnerability

The specially crafted links that change the download location can be pasted to a Slack channel or a private conversation to which the attacker has access. This means that the vulnerability would mostly be useful to malicious insiders or attackers who already have access to the targeted organization’s Slack workspace.

Advertisement. Scroll to continue reading.

However, Wells also discovered that an unauthenticated attacker can change the location of downloaded files using RSS feeds, which can be used to fetch data from third-party websites to Slack channels.

If the hacker can get the targeted user to click on a specially crafted RSS feed link posted anywhere on the web, the download location can be changed even if the attacker does not have access to the victim’s Slack workspace.

“This attack could be launched by someone outside of the organization but there are variables that might reduce the chances of success, like knowing which .rss feeds the target Slack subscribes to,” Tenable explained.

Since exploitation of the vulnerability requires user interaction and, in some cases, authentication, it has been classified as “medium severity.” Slack paid out a $500 bounty to the researcher who discovered the flaw.

The issue was reported to Slack via HackerOne on February 15 and it was patched with the release of version 3.4.0 on April 22. Some Slack installations are automatically updated, but users concerned that this vulnerability may be exploited against them should ensure that they are running the latest version.

Related: Slack Lists Cybersecurity Risks Ahead of Going Public

Related: Slack, GitHub Abused by New SLUB Backdoor in Targeted Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.