CyberNews Briefs

Critical Slack Bug Allows Access to Private Channels, Conversations

A critical vulnerability has been discovered in the Slack desktop app affecting versions below 4.4. The vulnerability could allow attackers to perform remote code execution (RCE) and gain full control over the app. This could lead to threat actors accessing Slack users’ private channels, passwords, conversations, tokens, and keys, as well as various other functions. Depending on the target’s Slack configurations, a successful exploit of this vulnerability could also lead to further compromise of the device.

On the CvSS vulnerability severity scale, the bug has been rated between 9 and 10. The vulnerability was disclosed on Friday, and Slack stated that Mac, Windows, and Linux devices running Slack for Desktop versions 4.4 and lower are vulnerable. The bug involves cross-site scripting and HTML injection. In a rare XSS case, attackers could target the app by overwriting Slack desktop app “env” functions to create a tunnel, subsequently executing arbitrary JavaScript.

Read More: Critical Slack Bug Allows Access to Private Channels, Conversations

OODA Analyst

OODA Analyst

OODA is comprised of a unique team of international experts capable of providing advanced intelligence and analysis, strategy and planning support, risk and threat management, training, decision support, crisis response, and security services to global corporations and governments.