Collaboration company Slack disclosed a Remote Code Execution (RCE) flaw on August 31st, 2020, affecting users of its Windows, Mac OS, and Linux desktop application versions. Users that click on an HTML injected image are redirected to an attacker’s server where a malicious JavaScript payload is executed within the Slack application on the user’s local machine, which could gain an attacker access to any sensitive data held within the Slack application. This vulnerability was initially reported by a security researcher through HackerOne in January, patched by Slack in February but went undisclosed until recently. It is recommended that all users of the Slack desktop application use version 4.4 or greater.
About the Author
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
