时间:2026-07-07 19:09:25 来源:网络整理编辑:娛樂
A security researcher has uncovered a flaw in Slack that could've been exploited to steal files over
A security researcher has uncovered a flaw in Slack that could've been exploited to steal files over the business messaging app and potentially spread malware.
The flaw involves Slack's Windows desktop app, and how it can automatically send downloaded files to a certain destination—whether it be on your PC or to an online storage server. You can set a download location in the app's preferences section. However, David Wells, a researcher at the security firm Tenable, noticed there's another way to configure the option: Via a special link.
"Crafting a link like 'slack://settings/?update={ 'PrefSSBFileDownloadPath':
Wells realized the same function could be abused. Imagine a hacker using the links to secretly reconfigure a Slack desktop app to send all downloaded files to an outside server. "Using this attack vector, an insider could exploit this vulnerability for corporate espionage, manipulation, or to gain access to documents outside of their purview," Well's security firm Tenable said in a separate report.
Credit: david wells / medium / screenshotThe vulnerability can also pave the way for potential malware infections. Any downloaded files sent to the hacker-controller server can be altered and booby-trapped to include malicious code. The attack will commence once the victim opens the file on the Slack desktop app.
The main obstacle of carrying out this attack is circulating the hacker-created links to people on Slack, which keeps its channels private to paying clients and their companies. To pull this off, Wells noticed how Slack channels can be configured to subscribe to RSS feeds, including threads on Reddit.
"I could make a post to a very popular Reddit community that Slack users around the world are subscribed to," Wells said. The hacker-created link will then populate inside the Slack channel and possibly attract some clicks.
"This technique could be unmasked by savvy Slack users, however if decades of phishing campaigns have taught us anything, it's that users click links, and when leveraged through an untrusted RSS feed, the impact can get much more interesting," he added.
Slack has patched the flaw in version 3.4.0 of the Windows desktop app. "We investigated and found no indication that this vulnerability was ever utilized, nor reports that our users were impacted," the company said in an email.
'The Flying Bum' aircraft crashes during second test flight2026-07-07 18:43
徐根寶為昔日愛將證婚 :生三胎 超過有倆娃的武磊呂文君2026-07-07 18:36
14歲15天!美國神童簽職業合同 破阿杜18年前紀錄2026-07-07 18:21
迪巴拉怒了!曝小魔仙拒絕續約尤文 將洽談自由轉會2026-07-07 18:20
Twitter grants everyone access to quality filter for tweet notifications2026-07-07 18:11
超甲附加賽總結:浙江成都衝超成功 大連青島降中甲2026-07-07 18:06
鋼鐵藍軍 !切爾西第9次進聯賽杯決賽 防線已入19球2026-07-07 17:49
馬明宇:恭喜蓉城 成都早該有一支頂級聯賽球隊2026-07-07 17:45
Researchers create temporary tattoos you can use to control your devices2026-07-07 17:43
官方 :前國安外援巴坎布自由身加盟馬賽 身穿13號球衣2026-07-07 17:31
MashReads Podcast: What makes a good summer read?2026-07-07 18:31
評分會騙人 !登貝萊獲最佳卻無實質貢獻 射門太離譜2026-07-07 18:09
滬媒 :奧斯卡轉會低於2000萬歐免談 傳聞僅存在於西班牙2026-07-07 17:45
曝海港主帥將經紀人告上法庭 因被其指控抽取轉會傭金2026-07-07 17:44
Photos show the Blue Cut fire blazing a path of destruction in California2026-07-07 17:38
媒體人:國安下周前後官宣新教練 來個“大驚喜”可能性不大2026-07-07 17:38
馬明宇:恭喜蓉城 成都早該有一支頂級聯賽球隊2026-07-07 17:26
國足龐大訓練營內卷到極致 兩場熱身後將裁員21人2026-07-07 17:17
Old lady swatting at a cat ends up in Photoshop battle2026-07-07 17:02
巴坎布:離開國安後想尋求挑戰 我比剛來中國時更有實力2026-07-07 16:59