The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

A critical vulnerability in the popular Slack collaboration app would allow remote code-execution (RCE). Attackers could gain full remote control over the Slack desktop app with a successful exploit — and thus access to private channels, conversations, passwords, tokens and keys, and various functions. They could also potentially burrow further into an internal network, depending on the Slack configuration, according to a security report.

The bug (rated between nine and 10 on the CvSS vulnerability-severity scale), was disclosed on Friday, and involves cross-site scripting (XSS) and HTML injection. Slack for Desktop (Mac/Windows/Linux) prior to version 4.4 are vulnerable.

“With any in-app redirect-logic/open redirect, HTML or JavaScript injection, it’s possible to execute arbitrary code within Slack desktop apps,” wrote a bug-hunter going by the handle “oskarsv,” who submitted a report on the bug to Slack via the HackerOne platform (earning $1,500). “This report demonstrates a specifically crafted exploit consisting of an HTML injection, security control bypass and a RCE JavaScript payload.”

According to the disclosed technical writeup, attackers could trigger an exploit by overwriting Slack desktop app “env” functions to create a tunnel via BrowserWindow; to then execute arbitrary JavaScript, in what is “a weird XSS case,” he said.

To exploit the bug, attackers would need to upload a file to their own HTTPS-enabled server with a payload; then, they could prepare a Slack post with an HTML injection containing the attack URL pointing to that payload (hidden in an image). After that, they need only to share that post with a public Slack channel or user. If a user clicks on the booby-trapped image, the code will be executed on the victim’s machine.

As for accomplishing the HTML injection, the issue lies in the way Slack posts are created, according to the researcher.

“[Creating a post] creates a new file on https://files.slack.com with [a specific] JSON structure,” according to the writeup. “It’s possible to directly edit this JSON structure, which can contain arbitrary HTML.”

oskarsv added, “JavaScript execution is restricted by Content Security Policy (CSP) and various security protections are in place for HTML tags (i.e. banned iframe, applet, meta, script, form etc. and target attribute is overwritten to _blank for A tags). However, it is still possible to inject area and map tags, which can be used to achieve a one-click-RCE.” He further explained that the URL link to the malicious payload could be written within the area tag.

Alternatively, oskarsv also discovered that emails (when sent as plaintext) are stored unfiltered on Slack servers – a situation that can be abused in order to store the RCE payload without attackers needing to own their own hosting.

“Since it’s a trusted domain, it could contain a phishing page with a fake Slack login page or different arbitrary content which could impact both security and reputation of Slack,” he explained. “There are no security headers or any restrictions at all as far as I could tell and I’m sure some other security impact could be demonstrated with enough time.”

Regardless of approach, exploits can be used to execute any attacker-provided command, according to the researcher.

“The payload can be easily modified to access all private conversations, files, tokens etc., without executing commands on the user’s computer,” he wrote, “[or] access to private files, private keys, passwords, secrets, internal network access, etc.”

Further, the payload could be made “wormable” so that it re-posts to all user workspaces, the researcher added.

Users should make sure their Slack desktop apps are upgraded to at least version 4.4 in order to avoid attacks. The bug was patched in February, but has just now been disclosed because of a HackerOne disclosure hiatus on all bugs, which was in effect for several months.

On Wed Sept. 16 @ 2 AM ET: Learn the secrets to running a successful Bug Bounty Program. Resister today for this FREE Threatpost webinar “Five Essentials for Running a Successful Bug Bounty Program“. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this LIVE webinar.

Polish security researcher unveiled the flaw in a cross-browser sharing API that could allow attackers to steal user files.

Joseph Sullivan allegedly paid off $100K to the hackers responsible for a 2016 data breach, which exposed PII of 57 million passengers and drivers.

The unscheduled security update addresses two “important”-severity flaws in Windows 8.1 and Windows Server 2012.

The Charming Kitten APT is impersonating journalists via #WhatsApp and #LinkedIn in order to con victims into openi… https://t.co/r12qrAaKga

Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.

Source: https://threatpost.com/critical-slack-bug-access-private-channels-conversations/158795/

World news – GB – Critical Slack Bug Allows Access to Private Channels, Conversations

Building on its expertise in the areas of digital, technologies and processes , CSS Engineering you in your most ambitious transformation projects and helps you bring out new ideas, new offers, new modes of collaboration, new ways of producing and selling.

CSS Engineering is involved in projects each customer as if it were his own. We believe a consulting company should be more than an advisor. We put ourselves in the place of our customers, to align we incentives to their goals, and collaborate to unlock the full potential their business. This establishes deep relationships and enjoyable.

Our services:

  1. Create professional websites
  2. Hosting high performance and unlimited
  3. Sale and video surveillance cameras installation
  4. Sale and Installation of security system and alarm
  5. E-Marketing

All our achievements here https://www.css-engineering.com/en/works/

LEAVE A REPLY

Please enter your comment!
Please enter your name here