Research inspired by similar flaws previously unearthed in Facebook, Twitter, and Microsoft Live

Slack contains an XSLeak vulnerability that de-anonymizes users

A security hole in the file-sharing feature of Slack enables malicious actors to identify users outside of the workforce messaging platform.

Slack apparently has no plans to patch the flaw in its web application, saying users can prevent such attacks by ensuring everyone in their workspace is ‘trusted’.

Known as a cross-site leak (XS-Leak), the vulnerability allows attackers to circumvent same-origin policy, a browser security feature that prevents tabs and frames of different domains from accessing each other’s data.

XSLeaks in social media platforms

In 2019, researchers from TU Darmstadt documented an XSLeak channel in image-sharing features of Facebook, Twitter, and Microsoft Live, among other popular messaging and social media platforms.

Basically, when users upload an image in their private chat threads, the host service creates a unique URL for that resource that is only accessible by parties within the thread. An attacker can abuse this mechanism to create a unique URL for a target user and then force the browsers of visitors to another website to request the same URL.


RECOMMENDED What does the future hold for browser security? Check out the latest features destined for mobile and desktop


Depending on the browser’s response, the attacker will determine if the visitor is the same user. This technique can be used for fingerprinting or spear phishing attacks.

Security researcher Julien Cretel told The Daily Swig that the paper inspired him to check “whether Slack's file-sharing functionality was vulnerable to Leaky Image, and sure enough, it was... and still is”.

From file-sharing to de-anonymization

The XSLeak in Slack, which Cretel has documented comprehensively on his blog, is contingent on the attacker having a user account in the same Slack workspace as their targets and being able to send them direct messages.

When a user uploads a file in a direct messaging channel, Slack generates a URL that is only accessible to parties to the conversation. Other users, regardless of being part of the Slack group or not, will be redirected to the main page when they try to retrieve the URL.

Slack uses the ‘SameSite=lax’ directive to protect its session cookie, which means it is only available to requests from domains under specific conditions.

However, Cretel shows that with some simple JavaScript coding, an attacker can create a webpage that circumvents the SameSite protection and fetches the URL. If the resource is accessible, the attacker confirms that the visitor is in fact the same Slack user.

Cretel created a novel technique leveraging ‘form-action’, a directive available on Chromium-based browsers, in order to detect multiple Slack users. He also used Slack’s group DM messages to reduce the number of file uploads required to identify target users.

Mitigation, not remediation

The bug has some limitations: it does not work on the desktop and mobile app or non-Chromium browsers such as Firefox and Safari.

Cretel has filed an issue on the Chromium bug-reporting platform in the hope of getting the form-action directive quirk addressed.

However, the researcher said Slack has declined to fix the bug on the grounds that, contrary to public services like Twitter, Slack is a trusted workspace and “there is at least some implied measure of trust, or at least familiarity, between two users in a Slack Workspace”.


Read more of the latest news about security vulnerabilities


However, he told The Daily Swig that “Slack’s response is somewhat conflicted. On the one hand, they assume that members of a given workspace are benevolent and trust each other; on the other hand, they urge workspace admins to diligently curate the list of members in order to prevent abuse.”

In many Slack workspaces, the barrier of entry is very low. For example, Slack has a default setting that allows non-guest members to invite others to their workspace. And some Slack workspaces have effectively become very large, cross-business messaging forums.

A spokesperson for Slack told The Daily Swig:


“Slack is always working to ensure the safety and security of our platform, and we’re grateful to the security research community for their work in supporting that effort.

“The best way to prevent attacks between members of a workspace is to ensure everyone in your workspace is a trusted member or partner. Slack gives each organization control over permissions to send invitations and tools to restrict membership as appropriate.

“We know there are organizations that use Slack where membership may be more broad – for tighter control in these instances, we recommend setting permissions to only let Workspace Owners and Admins send invitations to new members.”


Cretel said: “Although I'm underwhelmed by their response, I must admit I’m grateful that Slack allowed me to disclose the bug. Now that it’s in the open, perhaps pressure from their customers will make them reconsider their stance.”


YOU MIGHT ALSO LIKE Injection vulnerabilities in popular WordPress