Collaboration company Slack disclosed a Remote Code Execution (RCE) flaw on August 31st, 2020, affecting users of its Windows, Mac OS, and Linux desktop application versions. Users that click on an HTML injected image are redirected to an attacker’s server where a malicious JavaScript payload is executed within the Slack application on the user’s local machine, which could gain an attacker access to any sensitive data held within the Slack application. This vulnerability was initially reported by a security researcher through HackerOne in January, patched by Slack in February but went undisclosed until recently. It is recommended that all users of the Slack desktop application use version 4.4 or greater.

Experts Comments

September 04, 2020
Mieng Lim
VP of Product Management
Digital Defense, Inc.
A remote code execution of this type could easily make its way into a corporate environment. With the increased utilization and reliance on collaboration and communications platforms, such as Slack to support remote working and its popularity for social use, it’s important to ensure users know how to segregate corporate use from personal and verify all clients are up-to-date.
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.