Researchers have warned of a security vulnerability in popular cloud-based collaboration platform Slack.
The flaw could see a malicious hacker hijack incoming webhooks – a tool to import posts from other applications into Slack – to carry out a phishing attack.
According to researchers at Alien Labs, the cybersecurity division of AT&T, an attacker would need to find a leaked Slack webhook online. Because webhooks, which exist in a URL format, do not carry data, the attacker would need to send a malicious app to a Slack channel in the hope the users in it install it.
In theory, the attacker could then steal private information from the Slack users that download the harmful app.
Exploiting Slack webhooks has generally been considered low risk because unique webhooks are usually kept secret and the attack can only be applied to a specific channel.
However, the Alien Labs researchers discovered some 130,989 Slack webhook URLs available online, with the majority containing the full information needed to carry out the phishing attack.
The researchers also claim that compromising a Slack webhook can give the attacker the ability to alter channel posting permissions, allowing them to push out the malicious app to multiple channels.
“The concerning aspect about this is that people tend to lower their guard when receiving links on messaging platforms, and in particular when on mobile devices,” said Javvad Malik, security awareness advocate at KnowBe4, a cybersecurity training firm.
“All this combined can lead to a great increase in the likelihood of a spearphishing attack being successful. It is why employees need to be wary of phishing attacks not just from email, but all social media platforms.”
How to prevent a Slack webhook phishing attack
The researchers recommend that Slack channel administrators only allow apps to be installed from Slack’s app directory, as they would have been vetted by the firm’s security team.
For more sensitive working environments, Slack administrators can review and approve all applications before installation.
Alien Labs suggests that Slack should make webhooks “default to only working in the defined channel” and that “multi-channel webhooks/overrides should be a separate application or opt-in setting”.
In response to the webhook phishing research, Slack said:
“Webhooks are credential tools that provide access to posting functionality within a workspace. Though data cannot be exposed through webhooks on Slack, we do recommend that workspace owners or admins invalidate publicly exposed webhook URLs and generate new ones.”
Slack adds that it routinely scrapes GitHub for publicly exposed webhooks and invalidates them.
“Webhooks are safe as long as they remain secret since the webhook URL itself is unguessable. We also recommend workspace owners and admins use these best practices for storing credentials safely and that they review this guide to sending messages using incoming webhooks.”
Malik added that organisations should “have threat detection and response controls in place so that in the event an employee does fall victim to a phishing attack, it can be quickly identified and remediated before becoming a widespread incident”.