您现在的位置是:探索 >>正文
【】
探索25794人已围观
简介A security researcher has uncovered a flaw in Slack that could've been exploited to steal files over ...
A security researcher has uncovered a flaw in Slack that could've been exploited to steal files over the business messaging app and potentially spread malware.
The flaw involves Slack's Windows desktop app, and how it can automatically send downloaded files to a certain destination—whether it be on your PC or to an online storage server. You can set a download location in the app's preferences section. However, David Wells, a researcher at the security firm Tenable, noticed there's another way to configure the option: Via a special link.
"Crafting a link like 'slack://settings/?update={ 'PrefSSBFileDownloadPath':
Wells realized the same function could be abused. Imagine a hacker using the links to secretly reconfigure a Slack desktop app to send all downloaded files to an outside server. "Using this attack vector, an insider could exploit this vulnerability for corporate espionage, manipulation, or to gain access to documents outside of their purview," Well's security firm Tenable said in a separate report.

The vulnerability can also pave the way for potential malware infections. Any downloaded files sent to the hacker-controller server can be altered and booby-trapped to include malicious code. The attack will commence once the victim opens the file on the Slack desktop app.
The main obstacle of carrying out this attack is circulating the hacker-created links to people on Slack, which keeps its channels private to paying clients and their companies. To pull this off, Wells noticed how Slack channels can be configured to subscribe to RSS feeds, including threads on Reddit.
"I could make a post to a very popular Reddit community that Slack users around the world are subscribed to," Wells said. The hacker-created link will then populate inside the Slack channel and possibly attract some clicks.
"This technique could be unmasked by savvy Slack users, however if decades of phishing campaigns have taught us anything, it's that users click links, and when leveraged through an untrusted RSS feed, the impact can get much more interesting," he added.
Slack has patched the flaw in version 3.4.0 of the Windows desktop app. "We investigated and found no indication that this vulnerability was ever utilized, nor reports that our users were impacted," the company said in an email.
Featured Video For You
Chadwick Boseman tapped to play history's first black samurai
Tags:
转载:欢迎各位朋友分享到网络,但转载请说明文章出处“夫榮妻貴網”。http://new.maomao321.com/news/48f52999422.html
相关文章
Katy Perry talks 'Rise,' her next batch of songs, and how to survive Twitter
探索Katy Perry recently surpassed 90 million followers on Twitter, making her the person with the most f ...
【探索】
阅读更多iOS 11 makes sexting on Snapchat riskier than ever. That's why you need the next update.
探索iOS 11 has just blessed us with a cavalcade of newfangled, super useful features. But, with every bl ...
【探索】
阅读更多10 days after Hurricane Maria, Puerto Rico is still fighting for life
探索In the aftermath of Hurricane Maria, Donald Trump blames Puerto Rico's continuing struggles on "poor ...
【探索】
阅读更多
热门文章
- Make money or go to Stanford? Katie Ledecky is left with an unfair choice.
- 'Rick and Morty' fans won: McDonald's will offer Szechuan sauce
- Team Jamaica supporters make a blistering comeback to Trump's remarks about Usain Bolt
- Betsy DeVos makes fears come true by revoking Obama
- Olympic security asks female Iranian fan to drop protest sign
- Here's what it's like when Bill Nye catches you Snapchatting in the elevator
最新文章
Daughter gives her 100
In a crisis, Facebook's far from perfect—but still essential
Jolly guy's laugh is so contagious that even chickens had to join in
New documentary exposes the increasing dependence we have on smartphones
Mom discovers security cameras hacked, kids' bedroom livestreamed
We know what Ataribox will cost now, but the numbers don't add up