SECURITY
SECURITY
SECURITY
Slack Incoming Webhooks can be used to phish users
Security researchers at AT&T Alien Labs have uncovered a vulnerability in Slack Inc. that can be used to phish users.
The discovery, announced today, involves exploiting Slack Incoming Webhooks. Designed as a simple way to post messages from apps into Slack, Incoming Webhooks offers a unique URL in which an app can send a JSON payload with message text and some options.
Webhooks open the door to post data on Slack. Although pitched as a secure service, the security researchers found that is “not entirely true.”
The problem starts with the channel override functionality that makes it easy to override the previously specified webhook target channel by adding a “channel” key to the JSON payload. In some cases that can also override channel posting provisions, but that’s not where the main vulnerability lies.
Enter GitHub. Although webhook URLs are meant to be secret and secure, the researchers found 130,989 public code results containing Slack webhook URLs, with the majority containing the unique webhook value.
Using those public URLs, Slack webhook phishing with Slack Apps becomes possible. The process involves discovering leaked webhooks; creating a Slack app and allow public installation of the app; sending malicious messages to discovered hooks; tracking workspaces that install the malicious app; and using the app to exfiltrate data from workspaces that install it.
There are some limitations. For example, the depth of access depends on requester access and the scope of that the app initially requests. There’s no known use of this method to steal Slack data in the wild as yet, but there are ways for Slack administrators to mitigate a possible attack.
The first and most simple is application whitelisting. Admins have the option to manage their users’ Slack applications and can set up application whitelisting and application approval to review and approve applications before installation.
The second is detecting suspicious OAuth applications where whitelisting may not be an option. Slack Audit Log data can be implemented into a security analytics platform to detect suspicious actions.
Slack itself can also implement changes to prevent this occurring, such as implementing least privilege for incoming webhooks, improved awareness of secrets handling and application verification.
In response to the report, Slack said it’s proactively scraping GitHub for publicly exposed webhooks and invalidating them.
Image: AT&T Alien Labs
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
