Slack fixes a critical RCE bug in its desktop app
The flaw could have allowed attackers to access private conversations, channels, passwords, keys and tokens, and various functions within the app
Slack has fixed a critical remote code execution (RCE) vulnerability in its desktop app which could have allowed a remote attacker to take control over the app and steal users' confidential information from the device.
The flaw in the popular collaboration app was discovered in January by an independent security researcher who reported it to Slack via the HackerOne bug bounty platform.
In his bug report, the Oskars Vegeris (who goes by the name "oskarsv" on HackerOne) warned that threat actors could create an exploit for this flaw to gain full remote control over the Slack desktop app and then enjoy access to private conversations, channels, passwords, keys and tokens, and various functions within the app.
Not only that, the attackers could also make their attack "wormable". In other words, if one member of a particular team got infected, their account would automatically re-share the payload to other members of the team.
"With any in-app redirect-logic/open redirect, HTML or JavaScript injection, it's possible to execute arbitrary code within Slack desktop apps," the researcher stated.
"This report demonstrates a specifically crafted exploit consisting of an HTML injection, security control bypass and a RCE JavaScript payload."
He explained that to exploit the bug, an attacker would first need to upload a booby-trapped image with the RCE payload on their HTTPS-enabled server. Then, they could create a Slack post with an HTML injection containing the attack URL pointing to that payload.
Following that, the attacker would just need to share the post with a public Slack channel or user.
Once a user clicks on the booby-trapped image, the code will be executed on the victim's machine.
Vegeris said that Slack for desktop (4.2, 4.3.2) versions (Mac/Windows/Linux) were affected by the vulnerability.
While analysing weaknesses in Slack, Vegeris also discovered that emails, when sent as plaintext, are stored unfiltered on Slack servers. He warned that hackers could abuse this situation to store the RCE payload without requiring to own their own hosting.
"Since it's a trusted domain, it could contain a phishing page with a fake Slack login page or different arbitrary content which could impact both security and reputation of Slack," he said.
"There are no security headers or any restrictions at all as far as I could tell and I'm sure some other security impact could be demonstrated with enough time."