- Slack desktop app not updating after posting from phone full#
- Slack desktop app not updating after posting from phone code#
Users should make sure their Slack desktop apps are upgraded to at least version 4.4 in order to avoid attacks. “The payload can be easily modified to access all private conversations, files, tokens etc., without executing commands on the user’s computer,” he wrote, “ access to private files, private keys, passwords, secrets, internal network access, etc.”įurther, the payload could be made “wormable” so that it re-posts to all user workspaces, the researcher added. Regardless of approach, exploits can be used to execute any attacker-provided command, according to the researcher. “There are no security headers or any restrictions at all as far as I could tell and I’m sure some other security impact could be demonstrated with enough time.” “Since it’s a trusted domain, it could contain a phishing page with a fake Slack login page or different arbitrary content which could impact both security and reputation of Slack,” he explained. However, it is still possible to inject area and map tags, which can be used to achieve a one-click-RCE.” He further explained that the URL link to the malicious payload could be written within the area tag.Īlternatively, oskarsv also discovered that emails (when sent as plaintext) are stored unfiltered on Slack servers – a situation that can be abused in order to store the RCE payload without attackers needing to own their own hosting. and target attribute is overwritten to _blank for A tags). banned iframe, applet, meta, script, form etc. Oskarsv added, “JavaScript execution is restricted by Content Security Policy (CSP) and various security protections are in place for HTML tags (i.e.
“It’s possible to directly edit this JSON structure, which can contain arbitrary HTML.” “ creates a new file on with JSON structure,” according to the writeup.
Slack desktop app not updating after posting from phone code#
If a user clicks on the booby-trapped image, the code will be executed on the victim’s machine.Īs for accomplishing the HTML injection, the issue lies in the way Slack posts are created, according to the researcher. After that, they need only to share that post with a public Slack channel or user. To exploit the bug, attackers would need to upload a file to their own HTTPS-enabled server with a payload then, they could prepare a Slack post with an HTML injection containing the attack URL pointing to that payload (hidden in an image). “This report demonstrates a specifically crafted exploit consisting of an HTML injection, security control bypass and a RCE JavaScript payload.”Īccording to the disclosed technical writeup, attackers could trigger an exploit by overwriting Slack desktop app “env” functions to create a tunnel via BrowserWindow to then execute arbitrary JavaScript, in what is “a weird XSS case,” he said. “With any in-app redirect-logic/open redirect, HTML or JavaScript injection, it’s possible to execute arbitrary code within Slack desktop apps,” wrote a bug-hunter going by the handle “oskarsv,” who submitted a report on the bug to Slack via the HackerOne platform (earning $1,500). Slack for Desktop (Mac/Windows/Linux) prior to version 4.4 are vulnerable. The bug (rated between nine and 10 on the CvSS vulnerability-severity scale), was disclosed on Friday, and involves cross-site scripting (XSS) and HTML injection. They could also potentially burrow further into an internal network, depending on the Slack configuration, according to a security report.
Slack desktop app not updating after posting from phone full#
Attackers could gain full remote control over the Slack desktop app with a successful exploit - and thus access to private channels, conversations, passwords, tokens and keys, and various functions.
A critical vulnerability in the popular Slack collaboration app would allow remote code-execution (RCE).
0 kommentar(er)
