时间:2026-07-11 16:42:05 来源:网络整理编辑:熱點
A security researcher has uncovered a flaw in Slack that could've been exploited to steal files over
A security researcher has uncovered a flaw in Slack that could've been exploited to steal files over the business messaging app and potentially spread malware.
The flaw involves Slack's Windows desktop app, and how it can automatically send downloaded files to a certain destination—whether it be on your PC or to an online storage server. You can set a download location in the app's preferences section. However, David Wells, a researcher at the security firm Tenable, noticed there's another way to configure the option: Via a special link.
"Crafting a link like 'slack://settings/?update={ 'PrefSSBFileDownloadPath':
Wells realized the same function could be abused. Imagine a hacker using the links to secretly reconfigure a Slack desktop app to send all downloaded files to an outside server. "Using this attack vector, an insider could exploit this vulnerability for corporate espionage, manipulation, or to gain access to documents outside of their purview," Well's security firm Tenable said in a separate report.
Credit: david wells / medium / screenshotThe vulnerability can also pave the way for potential malware infections. Any downloaded files sent to the hacker-controller server can be altered and booby-trapped to include malicious code. The attack will commence once the victim opens the file on the Slack desktop app.
The main obstacle of carrying out this attack is circulating the hacker-created links to people on Slack, which keeps its channels private to paying clients and their companies. To pull this off, Wells noticed how Slack channels can be configured to subscribe to RSS feeds, including threads on Reddit.
"I could make a post to a very popular Reddit community that Slack users around the world are subscribed to," Wells said. The hacker-created link will then populate inside the Slack channel and possibly attract some clicks.
"This technique could be unmasked by savvy Slack users, however if decades of phishing campaigns have taught us anything, it's that users click links, and when leveraged through an untrusted RSS feed, the impact can get much more interesting," he added.
Slack has patched the flaw in version 3.4.0 of the Windows desktop app. "We investigated and found no indication that this vulnerability was ever utilized, nor reports that our users were impacted," the company said in an email.
Cat gets stuck in the most awkward position ever2026-07-11 16:29
武磊:12強賽更應放下包袱 高溫對澳大利亞困難更大2026-07-11 16:29
差距 !C羅女友又內涵安切洛蒂 但安帥卻在祝福C羅2026-07-11 15:55
吳曦曬國足隔離餐 球迷:怎麽感覺比李鐵指導的豐盛?2026-07-11 15:47
Sound the alarms: Simone Biles finally met Zac Efron2026-07-11 15:33
轉會通 :穆帥欲壓哨簽維特塞爾 熱刺接近巴薩毒瘤2026-07-11 15:04
哀悼!熱刺最年長季票持有者逝世 享年106歲2026-07-11 14:37
C羅離隊尤文已尋好替身 回收青訓佳品已達成一致2026-07-11 14:17
U.S. pole vaulter skids to a halt for national anthem2026-07-11 14:01
藍黑新援首秀替補11分鍾雙響 國米管理層今夏神操作2026-07-11 13:56
This app is giving streaming TV news a second try2026-07-11 16:38
吳曦曬國足隔離餐 球迷:怎麽感覺比李鐵指導的豐盛?2026-07-11 16:34
國足多哈首練陳戌源現場督軍 武磊參加全隊合練2026-07-11 16:25
上觀:歸化國腳仍需進一步融入 長遠看還得培養“小武磊們”2026-07-11 15:08
Tourist survives for month in frozen New Zealand wilderness after partner dies2026-07-11 15:07
穆勒談再戰巴薩 :我們仍有著去年戰勝他們的美好回憶2026-07-11 15:02
國足晚間開練適應節奏 多哈首訓場地草皮質量一流2026-07-11 14:37
陳戌源自始至終未提12強賽目標 盼國足打出精氣神2026-07-11 14:30
Olympian celebrates by ordering an intimidating amount of McDonald's2026-07-11 14:17
國米前瞻:藍黑軍衝擊開季連勝 強力新援或迎首秀2026-07-11 14:11