According to Alien Labs, Slack phishing attacks are possible using the company’s webhooks. The good news is, webhooks exist as URLs and do not contain any data. This all implies infiltrators would have to send a malicious app to a Slack channel, all the while hoping someone would install it so they could commence operation data purge.
Alien Labs is the cybersecurity division of AT&T, and its researchers discovered, some 131,000 Slack webhook URLs were available online. The vast majority of the webhooks included all the information needed to carry out a successful phishing attack, researchers found. Although the risk of this is low, an attacker could still access private information from any user who did download the app. To date, there are no known malicious attacks that occurred as a result of the exposure.
Much like Zoom, which has also recently faced scrutiny for security concerns, Slack swiftly offered up an explanation on how to keep user data secure. In a statement, a spokesperson told UC Today the company’s doing everything it can to educate users on how to use Slack, adding: “Webhooks are credential tools that provide access to posting functionality within a workspace. Though data is not exposable through webhooks on Slack, we recommend those workspace owners or admins invalidate ‘publicly exposed’ webhook URLs and generate new ones.”
He told me, to help Slack admins ensure URLs don’t get exposed, the company “Scrapes GitHub for public webhooks and invalidates them.” I want to note, once more, that webhooks are safe, as long as they remain secret. Slack recommends workspace owners and admins store credentials, telling us, this includes restricting token use by IP address, setting up verify requests from Slack, as well as rotating and expiring tokens.
“We provide more features to support the proper oversight of app installation and usage within workspaces, which help workspace owners and admins protect workspaces”
A Slack spokesperson further shared, the company lets teams require admin approvals for all apps and recommend they establish and follow basic security protocols Slack has for adding of apps into a workspace.
Earlier this month at Enterprise Connect, Slack announced its would integrate with Zoom, Cisco, Jabber, RingCentral, Dialpad, and Microsoft Teams. In a statement to UC Today, Slack said, over the past month, it’s experienced almost 350 percent growth in the number of calls made and received in Slack, including native Slack calls, calls made with BlueJeans, soon to be a part of Verizon, Webex, Zoom, and others. Overall, collaboration vendors are reporting major user upticks with COVID-19 looming in the background.
The company even announced the addition of its ‘Shortcuts,’ feature, following the complete overhaul Slack’s user interface and its biggest redesign to-date. The new ‘Shortcuts’ button fast-tracks actions like making calls. Also earlier this month, Slack CEO, Stewart Butterfield, took to Twitter, telling followers the number of concurrent Slack users increased from 10 million on March 10, 2020, to 12.5 million on March 25, 2020.
What is certain, as collaboration tools gain a more mainstream appeal, attackers will stop at nothing to infiltrate private communications in search of anything that could harm users.
