Critical vulnerability in Slack allows fingerprinting attacks on users

Cybersecurity specialists report the detection of a security flaw in the file sharing feature in Slack whose exploitation would allow threat actors to identify the identity of users outside this platform. While the existence of the bug has been proven to Slack, they seem to have no intention of addressing it, leaving the responsibility of preventing an attack on users.

The flaw, described as a cross-site leak (XSLeak), would allow a threat actor to evade the same-origin policy, a security measure that prevents tabs and frames from different domains from accessing data in other browser tabs.

Similar conditions were found a couple of years ago in image sharing features on Facebook, Twitter and other platforms. When users upload an image, the host service creates a unique URL for that resource that can only be accessed by the parties within the thread. Threat actors can abuse this mechanism to create a unique URL for a target user and then redirect browsers to another website by requesting the same URL.

Apparently, the flaw in XSLeak depends on hackers having a user account in the same Slack workspace as the target user in order to send direct messages. When a file is uploaded to a direct messaging channel, Slack creates a URL that can only be accessed by members of the conversation, so other users who click on this URL would be redirected to the Slack homepage.

Slack uses the “SameSite = lax” directive to protect its session cookie, which means it is only available for domain requests under specific conditions. The report demonstrates that with simple JavaScript code, a threat actor can create a web page that bypasses SameSite protection and thus obtain the URL.

It is worth mentioning that the bug is not always exploitable, as it does not work in the desktop and mobile application, so it can only be used on the Slack website for Chromium-based browsers. Due to its features, Slack decided not to release updates to address this bug, arguing that the affected feature is only used by members of secure work environments, so intrusion by an unauthorized user is considered unlikely.

Finally, the platform issued a statement making it clear that it is users who will need to take care of their backs: “The best way to prevent attacks between members of a workspace is to make sure that everyone in your workspace is a member or trusted partner.”

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.