![]() ![]() The researchers also point to yet another security issue, specific to Slack, that can allow an app to access private channels that are "locked" and intended to be accessible only to specific users-even when the app asks for no such permission. 52 percent of Slack apps ask for permissions that would allow them to overwrite another app's launch command. To get a sense of just how many apps might pose these sorts of risks, the researchers surveyed the permissions of all Slack and Teams apps and found that about one in three Teams apps and almost one in four Slack apps ask for permissions that would allow them to act as the user, posting messages or adding emoji reactions on their behalf. While the researchers note that Slack has recently added a safeguard that warns when an app overwrites a command in this way, it warns the user only upon installation of the app, and malicious apps can still perform that takeover trick after they're installed. A malicious app, the researchers point out, could hijack that command to make "/zoom" instead launch an imposter copy of Zoom that intercepts all the users' communications. In another attack, researchers found that apps can "overwrite" the command that launches another app in Slack or Teams, such as typing "/zoom" in one of the platforms to start a Zoom meeting. Even the apps reviewed for inclusion in Slack's App Directory undergo only a more superficial check of the apps' functionality to see whether they work as described, check elements of their security configuration such as their use of encryption, and run automated app scans that check their interfaces for vulnerabilities. They both allow integration of apps hosted on the app developer's own servers with no review of the apps' actual code by Slack or Microsoft engineers. "We take privacy and security very seriously," the company says in a statement, "and we work to ensure that the Slack platform is a trusted environment to build and distribute apps, and that those apps are enterprise-grade from day one."īut both Slack and Teams nonetheless have fundamental issues in their vetting of third-party apps, the researchers argue. It "strongly recommends" that users install only these approved apps and that administrators configure their workspaces to allow users to install apps only with an administrator's permission. (The researchers say they communicated with Microsoft about their findings prior to publication.) Slack, for its part, says that a collection of approved apps that is available in its Slack App Directory does receive security reviews before inclusion and are monitored for any suspicious behavior. ![]() When WIRED reached out to Slack and Microsoft about the researchers' findings, Microsoft declined to comment until it could speak to the researchers. “And yet, the apps running on them, which provide a lot of collaboration functionality, can violate any expectation of security and privacy users would have in such a platform.” “Slack and Teams are becoming clearinghouses of all of an organization’s sensitive resources,” says Earlence Fernandes, one of the researchers on the study who now works as a professor of computer science at the University of California at San Diego, and who presented the research last month at the USENIX Security conference. ![]() And while Slack and Teams apps are at least limited by the permissions they seek approval for upon installation, the study's survey of those safeguards found that hundreds of apps' permissions would nonetheless allow them to potentially post messages as a user, hijack the functionality of other legitimate apps, or even, in a handful of cases, access content in private channels when no such permission was granted. ![]() A new study by researchers at the University of Wisconsin-Madison points to troubling gaps in the third-party app security model of both Slack and Teams, which range from a lack of review of the apps’ code to default settings that allow any user to install an app for an entire workspace. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |