- An AT&T Alien Labs researcher has discovered a vulnerability in messaging app Slack.
- The webhook technology enables sending messages to potentially any channel.
- The exploit can be used to perform mass phishing attacks.
Popular messenger Slack has a big privacy issue, according to a cybersecurity researcher at AT&T Alien Labs. Per its latest report, published Tuesday, Slack is vulnerable to “webhook” attacks.
A webhook is a way for applications to exchange data in real-time via custom-generated URL addresses. The technology is growing in popularity lately because webhooks are resource-light, faster and more efficient than traditional programming interfaces.
Yet, researcher Ashley Graves discovered that webhooks could be used by malicious actors to send messages to multiple Slack channels—even without proper authorization. All they need to know is the channel’s webhook URL.
Despite the fact that Slack webhooks are supposed to be secret, the researcher managed to find over 130,000 public code results that contained Slack webhook URLs on GitHub. Most of them contained the full unique value.
“Slack Incoming Webhooks allow you to post messages from your applications to Slack. By specifying a unique URL, your message body, and a destination channel, you can send a message to any webhook that you know the URL for in any workspace, regardless of membership,” the researcher warned.
She added that webhooks are typically considered a low-risk integration since hackers must select exactly what channel to target and are unable to receive any data—only to send it. At the same time, by just adding the “channel” key to their URL-address, a malicious user is able to override a previously specified webhook target channel.
“If you gain access to a webhook for one channel, you can use it in others,” she wrote. “Considering sending to #general, #engineering and other default or common channels to target a wider audience.”
In some cases, this will even allow overriding channel posting permissions such as admin-only posting. While the vulnerability won’t allow hackers to actually steal any sensitive data, it opens a door for mass phishing attacks on unsuspecting Slack channels.
“Slack documentation suggests that allowed target channels are based on the original creator of the webhook,” Graves said, adding “So if you can find a webhook created by an admin—congrats, you can post to admin channels.”
In response to the research, a spokesperson for Slack stated that the company routinely monitors GitHub for publicly exposed webhooks and invalidates them, according to Verdict.
“Webhooks are safe as long as they remain secret since the webhook URL itself is unguessable. We also recommend workspace owners and admins use these best practices for storing credentials safely and that they review this guide to sending messages using incoming webhooks,” Slack advised.
As Decrypt reported on April 14, hackers have recently put up for sale over 500,000 user accounts registered on Zoom, another popular online conferencing app. Prior to that, thousands of Zoom video call recordings were discovered in open access on the Internet. Is anything safe?