Improper handling of a custom URI created a vulnerability, now patched, for users of the Electron-based Slack Desktop client on Windows.
A vulnerability in the Slack Desktop client on Windows allowing malicious actors to steal or manipulate downloads from users was discovered by security research firm Tenable, due to a fault in the way Slack treats clickable links, and how the slack:// URI works.
The vulnerability “could allow a remote attacker to submit a masqueraded link in a slack channel, that ‘if clicked’ by a victim, would silently change the download location setting of the slack client to an attacker owned SMB share,” Tenable researcher David Wells wrote in a Tuesday blog post. “This would allow all future downloaded documents by the victim to end up being uploaded to an attacker owned file server until the setting is manually changed back by the victim. While on the attacker’s server, the attacker can not only steal the document, but even modify it before it’s opened by victim after download (through Slack application).”
Wells also notes that the vulnerability can be used by malicious actors who are not members of a particular channel through the use of RSS feeds, which can be broadcast in a channel, containing links.
SEE: Straight up: How the Kentucky bourbon industry is going high tech (cover story PDF) (TechRepublic)
The Slack Desktop client, which is built using Electron, is often criticized for inefficiency. The app has a reputation for consuming mass amounts of CPU and RAM, with noted programmer Matthew O’Riordan writing in 2017 that resource consumption increases linearly with the number of accounts added to the client. While Slack has fixed that issue, and taken steps to reduce the memory footprint, Electron applications by their nature—as a self-contained node.js, V8, and Chromium package—have significant overhead compared to “native” desktop applications.
The electron platform also contains its own vulnerabilities. A 2018 vulnerability in custom URIs for Electron apps allowed attackers to remotely execute code, again, only on Windows.
Electron is here to stay, however, as the framework is used for messaging applications such as Skype, Signal, Wire, and Discord, and GitHub’s text editor Atom.
Slack updated the Windows Desktop client to 3.4.0 to address this vulnerability. According to Tenable, “Slack investigated and found no indication that this vulnerability was ever utilized, nor reports that its users were impacted.”
Slack is not the only messaging platform facing security issues, as a Whatsapp bug allows hackers to install spyware on your phone with just a phone call.