Slack vulnerability allowed attackers to smuggle malicious files onto victims’ devices

Now-patched code execution bug affected mobile and desktop versions of messaging app

UPDATED Researchers earned a $1,500 bug bounty payout after disclosing a remote code execution (RCE) vulnerability in popular messaging tool Slack.

The issue, present in both the mobile and desktop versions of the app, allowed a malicious actor to disguise dangerous files as benign, due to a flaw in the create snippet feature which resulted in filetypes being displayed incorrectly.

Slack’s snippet feature allows users to quickly and easily share pieces of code, configuration files, or log files within their workspace.

While the feature is intended to simplify users’ workflow, researchers discovered that by including a long file name and certain ASCII characters in the snipped content, an attacker could trick Slack into showing that a .CSV file was being downloaded when it was actually a .BAT executable.

Researcher Kevin McSheehan discovered the bug after just a few minutes’ work.

“It didn’t take long at all,” McSheehan, CEO of pen test start-up Envadr.io, told The Daily Swig.

“My friend Ryan and I were in his Slack, which is otherwise reserved for his subdomain and asset monitoring bot, and I started trying to break the code snippet sharing feature.

“Naturally he joined in on the fun. Building off of each other’s momentum, I nailed it in about 10 minutes.”

Under the hood

McSheehan told The Daily Swig that he discovered the vulnerability by using Buzzfeed data scientist Max Woolf’s open source ‘naughty strings’ tool.

“I found a glitchy character that appeared to break the parser in the source code snippet sharing feature,” he said.

“Interestingly I was able to not only create new files, but also lie about their filetypes.

“What that means is that I was able to inject benign looking files into Slack channels and DMs [direct messages] which were actually executables.

“In essence, this issue enables a malicious user to disguise a dangerous executable as a safe, non-executable filetype.

“Since Slack is often used by businesses for their internal communication, it’s relatively common for spreadsheets, text documents, and other innocuous files to be shared between employees.”

His colleague Ryan Cartner, Envadr.io CTO, told The Daily Swig that leaving this bug unpatched leaves users vulnerable to attacks such as spear-phishing attempts.

He explained: “Leveraging this bug an attacker can disguise a malicious .BAT file as something innocuous like a .CSV file.

“Slack will tag the file as a .CSV and even display a handy little .CSV file icon. Users that trust Slack will assume this file to be a safe comma delimited text file with no dangerous capabilities.

“In reality, it could execute code on the victim’s machine. An attacker could use this in a target spear-phishing attack against a business, or multiple businesses, using it to gain access to their internal assets.”

Transparent approach

McSheehan reported the vulnerability to Slack’s bug bounty program, which classified it as a high-severity issue. He split the $1,500 reward between himself and Cartner.

The researcher said: “I was impressed with their expeditious and transparent approach to security.”

Slack has fully patched the bug. A spokesperson told The Daily Swig: “The patch actually became effective for all versions of Slack as soon as the code was deployed, which was on May 7.”