Slack users targeted for phishing attacks - here’s how to stay protected

Report raises worrying Slack threats

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Slack users have been warned to take extra care when using theonline collaborationservice after researchers uncovered worrying security risks.

According to an AT&T AlienLabs report, incoming ‘webhooks’, which are used to connect from third-party apps to post messages on Slack, can be hijacked to carry out phishing attacks.

A compromised webhook not only allows unauthorized users to send messages to all the Slack channels, but it can also alter channel posting permissions.

Since webhooks cannot carry data themselves, hackers could easily exploit these vulnerabilities to con Slack users into installing malicious apps, allowing a potential entry route to steal data from their workspace.

Webhooks vulnerability

The researchers showed how a simple application created with the aim to phish data can be shared via spam messages to multiple Slack channels. Once a user installs the malicious application, it can then easily exfiltrate data and send it back to the hackers.

Also, once a malicious app is installed on a system, it can be used to send messages on behalf of the user, making other contacts believe the app to be trustworthy.

Since Slack allows users to install third-party apps to use in conjunction with the platform by default, the researchers recommend that workspace owners should restrict users from installing third-party apps using Slack’s inbuilt whitelisting options in order to mitigate the threat.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Mandatory approval by Admins before downloading and installing applications that have not gone through Slack’s security review process is also recommended to limit any potential threats.

Monitoring data with the help of security analytics platforms can also raise an alarm if:

Experts also suggest that Slack should by default limit the functionalities of applications that are not reviewed, and that incoming webhooks should be allowed to work in the defined channel.

In response to the findings Slack has said that, “We proactively scrape GitHub for publicly exposed webhooks and invalidate them. Webhooks are safe as long as they remain secret since the webhook URL itself is unguessable. We allow teams to require admin approvals on all apps, and recommend they establish and follow basic security diligence procedures before permitting apps to be added into a workspace.”

It advised users to “establish and follow basic security diligence procedures before permitting apps to be added into a workspace.”

Via:AT&T AlienLabs

Jitendra has been working in the Internet Industry for the last 7 years now and has written about a wide range of topics including gadgets, smartphones, reviews, games, software, apps, deep tech, AI, and consumer electronics.

Cisco issues patch to fix serious flaw allowing possible industrial systems takeover

Washington state court systems taken offline following cyberattack

Your doctor may have an AI assistant taking notes during your next Zoom call