Researchers from the University of Wisconsin-Madison have published their findings on the lack of adequate security features in Microsoft Teams’ and Slack’s applications.
- Tighten Your Microsoft Teams’ Security with 5 Built-In Compliance Features
- Security: How to Protect Against Cyber Crime
- How to Integrate Slack with Microsoft Teams
The paper, titled “Experimental Security Analysis of the App Model in Business Collaboration Platforms”, demonstrates how third-party apps can be used to control workplace tools.
Teams and Slack were both found to have inadequate default settings that allow users to install apps for whole workspaces. Researchers also showed that they lack the necessary coding reviews in their apps. Current permissions enable outsiders to hijack user messaging and third-party apps, as well as access private channels with sensitive content.
In the introduction to its report, researchers outlined their key findings: “By examining each interaction method between BCP (Business Collaboration Platform) apps and users, we establish that this two-level access control system does not adequately confine third-party application behaviour.
“Concretely, we have discovered that the BCP access control system violates two standard security principles: least privilege and complete mediation.
“This allows malicious apps to escalate their privilege and violate the confidentiality and integrity of private chat messages and third-party resources connected to BCPs.”
In order to locate the security weaknesses in Teams and Slack, the researchers launched a number of controlled attacks, which uncovered a worrying range of ways to exploit these vulnerabilities.
The current app permissions allow outsider access to scheduled posts, which could potentially be used for phishing, controlling other applications, or changing code to crash an application. Software developers were frequently found to enact changes in code via Slack messages, providing a means for malicious actors to intercept and interfere with internal company coding.
Zoom was another name regularly appearing in the report. Researchers found that a Zoom meeting could be launched via Teams and Slack by using the command “/zoom”. This capability could be used to create a copy of Zoom to access communications on the user’s account.
Slack now has a safeguard in place to warn users when an app overwrites a command, but only when it is being installed. After installation, malicious parties could continue spying on their communications without any security notifications.
Another issue identified relating to Slack is the vulnerability of its private channels. When a user copies a link to a message from a private channel, the message unfurls to show the full text. Permissions, therefore, allowing read and write access to basic information about private channels and direct messages could potentially offer insight into private channel communications. In a survey, the researchers found that 11 Slack apps ask for these precise permissions.
While some of these issues could be easily patched, Slack and Teams are hosted on third-party servers. They have limited control to make changes over these security issues because they have no jurisdiction over external developers. To create a global security update for its users, Teams and Slack would need to change their model to police app coding, including coding changes and app permissions.
The report concludes: “We created proof-of-concept attacks that exploit these violations to impersonate users and trick victim apps into performing unwanted actions; hijack commands; steal messages from private channels without appropriate permissions.
“Our discussion of countermeasures indicates that while point fixes for these attacks can be deployed at the cost of BCP usability, preventing further issues requires redesigning the BCP app access control model.”
In response to the research, a Microsoft spokesperson told UC Today:
“We’ve reviewed the report and have determined that many of the conclusions reached are based on methodology that we need more information to speak to. We’ve reached out to the researchers and will thoroughly investigate all claims and will take any necessary action to help protect customers.”
A spokesperson from Slack also responded to UC Today: “We take privacy and security very seriously, and we work to ensure that Slack is a trusted environment to build and distribute apps, and that those apps are enterprise-grade from day one.
“There are multiple ways that we prioritize the security of Slack apps and protect users against suspicious activity.”
The spokesperson outlined Slack’s security precautions, which essentially advocate its approved apps and warn against the use of unapproved apps.
Its 2500+ apps from the Slack App Directory “undergo a thorough review and approval process to ensure they met our APU, TOS, developer policy, and security guidelines”. Furthermore, approved apps “benefit from ongoing oversight from Slack’s monitoring and alerting system”.
Slack has app management features which can provide workspace admins with end-to-end control over applications within their organisation, and it offers information to help admins determine the risk level of an application.
The spokesperson for Slack also said that developers using its new platform, announced recently at Dreamforce 2022, “will have the option to deploy code and store data on Slack’s managed infrastructure. Apps stored on Slack’s infrastructure will automatically comply with our security and compliance standards.”
Slack’s response does not directly deal with the issues raised by the research, but the message is clear: security is only assured if admins stick to the approved app list.
WIRED reported that Microsoft and Slack confirmed the possibility of these hacking methods to the research group. However, they believe the findings did not “meet their definitions of security vulnerability” because it requires tricking users into installing malicious apps. This shifts the responsibility onto IT administrators who “are even worse off than Slack”, according to the University of Wisconsin researcher Yue Gao.
Microsoft Teams was recently in the spotlight for a security vulnerability in which hackers could access a user’s camera and read content on the screen in the reflection of the user’s glasses. The technique appears to have limited practical application for the time being, however.
Protecting Against Software Vulnerabilities
Any software your organisation runs may have in-built vulnerabilities, such as those uncovered in Teams and Slack. Malicious actors can use these weaknesses to gain access to confidential information and even interfere with the coding of your software applications.
There are many ways vulnerabilities occur in software, including insecure coding, reusing vulnerable code, and emerging threats. Common vulnerabilities which result from these are zero-day threats, bugs and glitches, buffer overflow, SQL and OS commands, and configuration errors.
To protect against these software vulnerabilities, your organisation should create a clear security policy, which it can maintain throughout software acquisition, coding and decision-making. When you install a new application, evaluate all the possible security issues and find out about any vulnerabilities before choosing to implement it.
For companies creating their own software solutions, they should be observing coding standards, such as OWWASP Secure Coding Practices and Common Weakness Enumeration (CWE).
It is a good idea to routinely update and test your software to locate and remove any vulnerabilities.
Another protective measure is to use a code signing certificate to make your code tamper-proof and ensure that your files are secure, and prevent hackers from adding any malicious code.
You can also employ security companies to review your security policy and find vulnerabilities within the software you are using.
The key is to try and find vulnerabilities early, ideally before you have even integrated software into your system. Don’t forget new vulnerabilities are created all the time, so a ‘secure software’ may become insecure over time. It is necessary, therefore, to always keep your finger on the pulse of software security.
