A security vulnerability in the cloud-based communication platform Slack has recently been identified by researchers. The weakness could potentially allow a threat actor to hijack inbound webhooks, tools used for importing user posts into Slack from outside applications in order to launch a phishing attack.
The flaw was discovered by Alien Labs, the division handling cybersecurity at US multinational AT&T. According to its research department, a hacker would first need to find a Slack webhook that had been leaked online. Webhooks that exist in the form of a web address don’t carry data so an attacker would be required to send out a malicious application to a channel in Slack with the end goal that one or more users in the channel will install it.
If this scenario should occur, researchers warn that in theory threat actors could then misappropriate private details and sensitive company data from any Slack users unfortunate enough to download the malicious app.
A new risk on the rise
Previously threats from Slack webhooks being exploited by hackers have been commonly considered a low risk. This is mainly due to the fact that unique webhooks are typically kept private and this type of attack can only be deployed on a particular channel.
However, in light of new data discovered by researchers at Alien Labs, the threat is now being taken more seriously. The researchers found 130,989 Slack webhook web addresses available online, the majority of which contained all the information a hacker would require to complete a phishing attack.
Further to this Alien Labs suggests that if an attacker manages to compromise a Slack webhook, they may also be enabled to alter posting permissions for channels. This could make it possible for them to roll out the harmful application to even more channels.
Attacks made using links on communication platforms can be highly effective as users tend to be less mindful of threats when using such messaging solutions, particularly when interacting with them on smart phones and other mobile devices.
Javvad Malik of cybersecurity training experts KnowBe4 commented:
“All this combined can lead to a great increase in the likelihood of a spearphishing attack being successful. It is why employees need to be wary of phishing attacks not just from email, but all social media platforms.”
How to protect company data from Phishing attacks using Slack webhooks
Following their discovery, researchers at Alien Labs have offered some recommendations to security professionals and Slack administrators.
Foremost, they suggest that those overseeing Slack channels should allow applications to be installed only from Slack’s dedicated app directory. This is because they will have been comprehensively checked by the company’s security team. For working environments that are even more sensitive however, Slack admins can both review and approve every application prior to installation.
Finally, the researchers recommend that Slack would be well advised to ensure webhooks “default to only working in the defined channel.” They also suggest “multi-channel webhooks/overrides should be a separate application or opt-in setting”.