Digging deeper into the vulnerability details
Slacks allows users to share files in public or private channels. If a private file is shared in a conversation, anyone who is a part of the conversation can view it.
What can you do about it?
An easy way to prevent being a victim because of this flaw would be not to share anything sensitive via Slack unless you trust the people in the conversation not to reshare the file without permission.
What they’re saying
“Due to the fact that Slack users can only be aware of private conversations that they are members of, file owners have no way to tell that their files were shared in other private conversations,” said the team at Polyrize.
A spokesperson for Slack was reported saying, “We appreciate that the presence of the unshare button is confusing since we changed the way commenting works for Snippets and Posts. We are grateful to Polyrize for bringing this usability issue to our attention. We are planning to correct the interface but the security model for sharing Snippets and Posts on Slack will continue to operate as it does today.”
Duncan Brown from Forcepoint said, “This vulnerability in Slack is an another example of the ways malicious actors can steal sensitive data. Companies often have a very poor visibility of how their sensitive data is being stored, used and manipulated. With the adoption of multi-cloud services of all kinds, we've seen this data sprawl and confusion only increase.”