Security researchers at AT&T Alien Labs have uncovered a vulnerability in Slack Inc. that can be used to phish users.

The discovery, announced today, involves exploiting Slack Incoming Webhooks. Designed as a simple way to post messages from apps into Slack, Incoming Webhooks offers a unique URL in which an app can send a JSON payload with message text and some options.

Webhooks open the door to post data on Slack. Although pitched as a secure service, the security researchers found that is “not entirely true.”

The problem starts with the channel override functionality that makes it easy to override the previously specified webhook target channel by adding a “channel” key to the JSON payload. In some cases that can also override channel posting provisions, but that’s not where the main vulnerability lies.

Enter GitHub. Although webhook URLs are meant to be secret and secure, the researchers found 130,989 public code results containing Slack webhook URLs, with the majority containing the unique webhook value.

Using those public URLs, Slack webhook phishing with Slack Apps becomes possible. The process involves discovering leaked webhooks; creating a Slack app and allow public installation of the app; sending malicious messages to discovered hooks; tracking workspaces that install the malicious app; and using the app to exfiltrate data from workspaces that install it.

There are some limitations. For example, the depth of access depends on requester access and the scope of that the app initially requests. There’s no known use of this method to steal Slack data in the wild as yet, but there are ways for Slack administrators to mitigate a possible attack.

The first and most simple is application whitelisting. Admins have the option to manage their users’ Slack applications and can set up application whitelisting and application approval to review and approve applications before installation.

The second is detecting suspicious OAuth applications where whitelisting may not be an option. Slack Audit Log data can be implemented into a security analytics platform to detect suspicious actions.

Slack itself can also implement changes to prevent this occurring, such as implementing least privilege for incoming webhooks, improved awareness of secrets handling and application verification.

In response to the report, Slack said it’s proactively scraping GitHub for publicly exposed webhooks and invalidating them.

Image: AT&T Alien Labs