A critical vulnerability has been discovered in the Slack desktop app affecting versions below 4.4. The vulnerability could allow attackers to perform remote code execution (RCE) and gain full control over the app. This could lead to threat actors accessing Slack users’ private channels, passwords, conversations, tokens, and keys, as well as various other functions. Depending on the target’s Slack configurations, a successful exploit of this vulnerability could also lead to further compromise of the device.
On the CvSS vulnerability severity scale, the bug has been rated between 9 and 10. The vulnerability was disclosed on Friday, and Slack stated that Mac, Windows, and Linux devices running Slack for Desktop versions 4.4 and lower are vulnerable. The bug involves cross-site scripting and HTML injection. In a rare XSS case, attackers could target the app by overwriting Slack desktop app “env” functions to create a tunnel, subsequently executing arbitrary JavaScript.
Read More: Critical Slack Bug Allows Access to Private Channels, Conversations