Now-patched code execution bug affected mobile and desktop versions of messaging app
The issue, present in both the mobile and desktop versions of the app, allowed a malicious actor to disguise dangerous files as benign, due to a flaw in the create snippet feature which resulted in filetypes being displayed incorrectly.
Slack’s snippet feature allows users to quickly and easily share pieces of code, configuration files, or log files within their workspace.
While the feature is intended to simplify users’ workflow, researchers discovered that by including a long file name and certain ASCII characters in the snipped content, an attacker could trick Slack into showing that a .CSV file was being downloaded when it was actually a .BAT executable.
Researcher Kevin McSheehan discovered the bug after just a few minutes’ work.
“It didn’t take long at all,” McSheehan, CEO of pen test start-up Envadr.io, told The Daily Swig.
“My friend Ryan and I were in his Slack, which is otherwise reserved for his subdomain and asset monitoring bot, and I started trying to break the code snippet sharing feature.
“Naturally he joined in on the fun. Building off of each other’s momentum, I nailed it in about 10 minutes.”
Under the hood
McSheehan told The Daily Swig that he discovered the vulnerability by using Buzzfeed data scientist Max Woolf’s open source ‘naughty strings’ tool.
“I found a glitchy character that appeared to break the parser in the source code snippet sharing feature,” he said.
“Interestingly I was able to not only create new files, but also lie about their filetypes.
“What that means is that I was able to inject benign looking files into Slack channels and DMs [direct messages] which were actually executables.
“In essence, this issue enables a malicious user to disguise a dangerous executable as a safe, non-executable filetype.
“Since Slack is often used by businesses for their internal communication, it’s relatively common for spreadsheets, text documents, and other innocuous files to be shared between employees.”
YOU MAY ALSO LIKE Custom themes lead to data exfiltration in Slack messaging platform
His colleague Ryan Cartner, Envadr.io CTO, told The Daily Swig that leaving this bug unpatched leaves users vulnerable to attacks such as spear-phishing attempts.
He explained: “Leveraging this bug an attacker can disguise a malicious .BAT file as something innocuous like a .CSV file.
“Slack will tag the file as a .CSV and even display a handy little .CSV file icon. Users that trust Slack will assume this file to be a safe comma delimited text file with no dangerous capabilities.
“In reality, it could execute code on the victim’s machine. An attacker could use this in a target spear-phishing attack against a business, or multiple businesses, using it to gain access to their internal assets.”
McSheehan reported the vulnerability to Slack’s bug bounty program, which classified it as a high-severity issue. He split the $1,500 reward between himself and Cartner.
The researcher said: “I was impressed with their expeditious and transparent approach to security.”
Slack has fully patched the bug. A spokesperson told The Daily Swig: “The patch actually became effective for all versions of Slack as soon as the code was deployed, which was on May 7.”
They added that Slack has recently increased minimum bounties for high and critical bugs, in the hopes of further engaging top researchers on HackerOne’s platform.
“Slack’s security has always been enterprise grade, and many government agencies, financial institutions and other enterprise companies in regulated industries rely on Slack to keep their data secure and meet compliance requirements,” the spokesperson said.
“We maintain a comprehensive, frequently tested and well-staffed security program.”
They added: “We also established a bug bounty program early on at Slack, in 2014, providing a safe conduit for responsible disclosure of security vulnerabilities and a way to reward researchers for doing the right thing.
“Since then, the Slack team has resolved over 900 vulnerabilities thanks to over 450 hackers participating in our program.”
This article has been updated to include further comment from Slack.