According to Tenable Research’s David Wells, who discovered the bug and reported it via the HackerOne bug-bounty platform, a download hijack vulnerability in Slack Desktop version 3.3.7 for Windows would allow an attacker to post a specially crafted hyperlink into a Slack channel that changes the document download location path when clicked. Victims can still open the downloaded document through the application, however, that will be done from the attacker’s Server Message Block (SMB) share.
“[The issue exists in] the ‘slack://’ protocol handler, which has the capability to change sensitive settings in the Slack Desktop Application,” Wells said in a posting on Friday. “This download path can be an attacker-owned SMB share, which would cause all future documents downloaded in Slack to be instantly uploaded to the attacker’s server.”
The reason it has to be an SMB share is because of a security check built into the platform. The Slack application filters certain characters out – including colons – so an attacker can’t supply a path with a drive root.
“An SMB share, however, completely bypassed this sanitation as there is no root drive needed,” Wells explained. “After setting up a remote SMB share, we could send users or channels a link that would redirect all downloads to it after they click the link.”
An attack can be carried out by both authenticated and unauthenticated users, Wells said. In the first scenario, an insider could exploit the vulnerability for corporate espionage, manipulation or to gain access to documents outside of their role or privilege level.
In the second scenario, an outsider could place crafted hyperlinks into pieces of content that could be pulled into a Slack channel via external RSS feeds.
“Let’s consider an example with reddit.com. Here I could make a post to a very popular Reddit community that Slack users around the world are subscribed to (in this test case, however, I chose a private one I owned),” Wells said. “I will drop an HTTP link (because slack:// links are not allowed to be hyperlinked on Reddit) that will redirect to our malicious slack:// link and change settings when clicked. Once posted to this subreddit, our test Slack channel (that is subscribed to this subreddit feed), is now populated with the new article entry and previews the text which includes the link.”
Success here would require knowing which RSS feeds the target Slack user subscribes to, of course.
Malware and More
In addition to being an information-disclosure concern (attackers could access sensitive company documents, financial data, patient records and anything else someone shares via the platform), the vulnerability could be used as a jumping-off point for broader attacks.
“If an Office Document (Word, Excel, etc.) is downloaded, the attacker’s server could inject malware into it, so that when opened, the victim machine is compromised,” Wells explained. He added, “the Slack user that opens/executes the downloaded file will actually instead be interacting with our modified document/script/etc off the remote SMB share, the options from there on are endless.”
Because it does require user interaction to exploit, the vulnerability carries a medium-level CVSSv2 rating of 5.5. However, the researcher said that attackers can use a spoofing technique to mask the malicious URL behind a fake address, say “http://google.com,” to give it more legitimacy and convince a Slack user to click on the link.
More specifically, it’s possible to link to words within Slack by adding an “attachment” field to a Slack POST request with appropriate fields, Wells said.
“The hyperlink text can be masqueraded by using the ‘attachment’ feature in Slack, which allows an attacker to replace the hyperlink’s actual uniform resource identifier with any custom text, possibly fooling users into clicking,” Wells noted.
The attack surface is potentially large. Slack said in January that it has 10 million active daily users, and 85,000 organizations use the paid version (it’s unclear how many are Windows users). Fortunately, Slack patched the bug as part of its latest update for Slack Desktop Application for Windows, v3.4.0, so users should upgrade their apps and clients.