Security News > 2020 > August > Critical Slack Bug Allows Access to Private Channels, Conversations

A critical vulnerability in the popular Slack collaboration app would allow remote code-execution.

Attackers could gain full remote control over the Slack desktop app with a successful exploit - and thus access to private channels, conversations, passwords, tokens and keys, and various functions.

"With any in-app redirect-logic/open redirect, HTML or JavaScript injection, it's possible to execute arbitrary code within Slack desktop apps," wrote a bug-hunter going by the handle "Oskarsv," who submitted a report on the bug to Slack via the HackerOne platform.

To exploit the bug, attackers would need to upload a file to their own HTTPS-enabled server with a payload; then, they could prepare a Slack post with an HTML injection containing the attack URL pointing to that payload. After that, they need only to share that post with a public Slack channel or user.

"The payload can be easily modified to access all private conversations, files, tokens etc., without executing commands on the user's computer," he wrote, "[or] access to private files, private keys, passwords, secrets, internal network access, etc.

News URL

https://threatpost.com/critical-slack-bug-access-private-channels-conversations/158795/