Slack users have been urged to upgrade their applications and clients to the most recent version, 3.4.0, after Tenable researcher David Wells discovered a new vulnerability that would allow an attacker to share malicious hyperlinks that could alter where a victim’s files were stored.
Wells discovered a download hijack vulnerability in Slack Desktop version 3.3.7 for Windows. “This vulnerability, which has been patched, would have allowed an attacker to post a crafted hyperlink into a Slack channel or private conversation that changes the document download location path when clicked. It does require user interaction to exploit, giving it a CVSSv2 score of 5.5 (Medium),” today’s press release said.
If users click on the link, an attacker could not only steal future documents downloaded within Slack but also manipulate them, such as injecting malicious code that would compromise the victim’s machine once opened, according to Wells.
The attack reportedly can be performed through any Slack direct messaging or Slack channel to which an attacker might be authenticated.
“Using this attack vector, an insider could exploit this vulnerability for corporate espionage, manipulation, or to gain access to documents outside of their purview," which Wells discusses in depth in his blog post.
The flaw was found in the Slack desktop application for Windows version 3.3.7, which Tenable reported to Slack via HackerOne. “Slack patched the bug as part of its latest update for Slack Desktop Application for Windows, v3.4.0. Slack investigated and found no indication that this vulnerability was ever utilized, nor reports ..