Slack, the work collaboration app has issued a security update following a vulnerability in its systems that could allow attackers to modify the location where downloaded files are stored.
Tenable researcher, David Wells discovered a download hijack vulnerability in Slack Desktop version 3.3.7 for Windows. The flaw could have allowed “a remote attacker to submit a masqueraded link in a slack channel, that “if clicked” by a victim, would silently change the download location setting of the slack client to an attacker-owned SMB share,” Wells said.
This would allow all future downloads to be uploaded to the attackers' own file server until the victim manually changes the setting. Furthermore, attackers could inject malicious code into the link, and once clicked the victim’s machine would be compromised.
Wells said in his blog post:
“Using this attack vector, an insider could exploit this vulnerability for corporate espionage, manipulation, or to gain access to documents outside of their purview.”
A spokesperson from Slack said:
“Slack investigated and found no indication that this vulnerability was ever utilized, nor reports that its users were impacted. As always, users are encouraged to upgrade their apps and clients to the latest available version.”
European Data Protection Summit will take place on June 3rd in Central London and will play host to 800 DPO’s, Security Professionals and senior business decision makers looking for; information, updates, clarity, advice and solutions. For more information, visit the website.
