Security researchers have uncovered a flaw in messaging app Slack that allows a file shared in a private channel to be viewed by anyone in that workspace – even guests.
Folk from Israeli cloud security outfit Polyrize uncovered the vuln, that they say exposes files shared through the IRC-for-millennials application, which boasts millions of users.
"If you share your file once, even if you later unshare it, that file can still be exposed to other people, without any indication to you,” said Polyrize, adding that the vuln includes the viewing of files through API queries.
It works through Slack's implementation of file-sharing. Posts on a Slack workspace can be in a public channel, or conversation, where anyone with an account on that workspace can join and view messages and files, or a private conversation (invite-only). Files are shared with conversations which can have one or more participants; if you're in a conversation where a private file is shared, you can view it. Should you leave that private conversation, you can't view files from within it.
That's how it's meant to work, anyway. According to Polyrize, however, if someone in a private conversation shares a file from it to a different conversation, that bypasses the controls.
"Due to the fact that Slack users can only be aware of private conversations that they are members of, file owners have no way to tell that their files were shared in other private conversations," Polyrize told The Register.
In the video above is a demonstration of the vulnerability. The screen is split in half vertically.
Polyrize told The Register that the vuln can be verified not only through the Slack GUI (graphical user interface) but also by making API calls to Slack for a file shared, re-shared and de-shared in this way and inspecting the results.
A Slack spokesman told The Register: "We understand how important file security is for Slack's customers. The behavior described only applies to two types of files in Slack, Snippets and Posts (two options for sharing and collaborating around longer form content in Slack). Most files shared in Slack are not these types of files."
The spokesman continued:
When you share Snippets and Posts in private channels or messages, only the included people can see those Snippets and Posts or find them in search. When you share Snippets and Posts in public channels, anyone in the workspace can see those Snippets and Posts or find them in search. This is intended functionality.
We appreciate that the presence of the unshare button is confusing since we changed the way commenting works for Snippets and Posts. We are grateful to Polyrize for bringing this usability issue to our attention. We are planning to correct the interface but the security model for sharing Snippets and Posts on Slack will continue to operate as it does today.
Duncan Brown, chief security strategist of infosec biz Forcepoint, told The Register that this is an all too familiar refrain: "This vulnerability in Slack is an another example of the ways malicious actors can steal sensitive data. Companies often have a very poor visibility of how their sensitive data is being stored, used and manipulated. With the adoption of multi-cloud services of all kinds, we've seen this data sprawl and confusion only increase." He added: "Organisations need to make sure they have a strong visibility of the data they have, and where it's going, at all times. Looking at activity at the level of individual users is one way to do that. While this particular vulnerability is unfortunate, it's more a symptom of the wider issue of data governance."
As described, working around the vulnerability is fairly easy: don't use Slack to share sensitive files. If you must use Slack to do that thing, only share files with people whom you trust not to reshare them into different conversations. ®