Flaw in Slack Allows Workspace Members to Access Files in Private Channels

• The popular messaging app Slack has been found to contain a security flaw that allows colleagues to access unshared Slack documents.
• Slack says that the behavior applies only to specific types of files, and that is the intended behavior.

Digging deeper into the vulnerability details

Slacks allows users to share files in public or private channels. If a private file is shared in a conversation, anyone who is a part of the conversation can view it.

• Ideally, when someone leaves the conversation, they would no longer be able to access the private file.
• In case someone in the private conversation shares the file with a different conversation, members in that conversation can now view the file.
• Researchers from Polyrize, an Israeli cloud security outfit, who discovered the vulnerability said that this flaw could be verified on the Slack’s user interface as well as by making the associated API calls.

What can you do about it?

An easy way to prevent being a victim because of this flaw would be not to share anything sensitive via Slack unless you trust the people in the conversation not to reshare the file without permission.

What they’re saying

“Due to the fact that Slack users can only be aware of private conversations that they are members of, file owners have no way to tell that their files were shared in other private conversations,” said the team at Polyrize.

A spokesperson for Slack was reported saying, “We appreciate that the presence of the unshare button is confusing since we changed the way commenting works for Snippets and Posts. We are grateful to Polyrize for bringing this usability issue to our attention. We are planning to correct the interface but the security model for sharing Snippets and Posts on Slack will continue to operate as it does today.”

Duncan Brown from Forcepoint said, “This vulnerability in Slack is an another example of the ways malicious actors can steal sensitive data. Companies often have a very poor visibility of how their sensitive data is being stored, used and manipulated. With the adoption of multi-cloud services of all kinds, we've seen this data sprawl and confusion only increase.”