Slack Desktop App Vulnerability – Expert Source

By   ISBuzz Team
Writer , Information Security Buzz | Sep 04, 2020 07:02 am PST

Collaboration company Slack disclosed a Remote Code Execution (RCE) flaw on August 31st, 2020, affecting users of its Windows, Mac OS, and Linux desktop application versions. Users that click on an HTML injected image are redirected to an attacker’s server where a malicious JavaScript payload is executed within the Slack application on the user’s local machine, which could gain an attacker access to any sensitive data held within the Slack application. This vulnerability was initially reported by a security researcher through HackerOne in January, patched by Slack in February but went undisclosed until recently. It is recommended that all users of the Slack desktop application use version 4.4 or greater.

Notify of
1 Expert Comment
Oldest Most Voted
Inline Feedbacks
View all comments
Mieng Lim
Mieng Lim , VP of Product Management
September 4, 2020 3:04 pm

A remote code execution of this type could easily make its way into a corporate environment. With the increased utilization and reliance on collaboration and communications platforms, such as Slack to support remote working and its popularity for social use, it’s important to ensure users know how to segregate corporate use from personal and verify all clients are up-to-date.

Last edited 3 years ago by Mieng Lim

Recent Posts

Would love your thoughts, please comment.x