Collaboration apps like Slack and Microsoft Team has become the connective tissue of the modern workplace, bringing users together with everything from messaging to scheduling to video conferencing tools. But as Slack and Teams become the go-to operating systems for corporate productivity apps, a team of researchers has pointed to serious risks in what they come into contact with third-party programs. three — at the same time as they are trusted with more organizations’ sensitive data than ever before.
A new one research by researchers at the University of Wisconsin-Madison point out worrying vulnerabilities in the third-party application security models of both Slack and Teams, ranging from a lack of code review of apps to settings. The default allows any user to install the application for the entire workspace. And while the Slack and Teams apps are at least limited by the permissions they seek consent to install, research’s survey of those protections shows that hundreds of app permissions will allow them the ability to post messages as users, hijack the functionality of other apps than legitimate apps, or even, in rare cases, access content in private channels without that permission.
Earlence Fernandes, one of the researchers on this study, now a professor of computer science at the University of California at San Diego, and who presented the study, said: “Slack and Team are becoming the place to be. offsetting all of an organization’s sensitive resources. last month at the USENIX Security conference. “And yet, the applications that run on top of them, which provide a lot of collaboration functionality, could violate any security and privacy expectations that users would have in such a platform.”
When WIRED contacted Slack and Microsoft about the researchers’ findings, Microsoft declined to comment until they could talk to the researchers. (The researchers said they spoke with Microsoft about their findings prior to publication.) For its part, Slack says that a collection of approved apps is available in the Applications Directory. Its Slack will receive a security review prior to inclusion and is monitored for any suspicious behavior. . It “really recommends” that users only install these approved applications, and that administrators configure their workspaces to allow users to install applications only with administrator permission. administrator. “We take privacy and security very seriously,” the company said in a statement, “and we work to ensure that the Slack platform is a trusted environment for building and delivering applications. apps, and those apps are enterprise-grade from day one.”
However, both Slack and Teams have fundamental problems in testing third-party apps, the researchers argue. Both allow the integration of applications hosted on the application developers’ own servers without the need for a Slack or Microsoft engineer to review the actual code of the application. Even apps that are evaluated for inclusion in Slack’s App Directory only undergo a more preliminary test of the app’s functionality to see if they work as described, testing the elements in their security configuration, such as the use of encryption and running automated application scans to check interfaces for vulnerabilities.
Despite Slack’s own recommendations, both collaboration platforms by default allow any user to add these standalone hosted apps to the workspace. Organization admins can enable stricter security settings that require admin approval of apps before they’re installed. But even then, those admins have to approve or disapprove apps without the ability to test their code themselves — and importantly, the app’s code can change at any time. which allows a seemingly legitimate app to become a malicious one. That means attacks can come in the form of malicious apps disguised as innocent ones, or really legitimate apps that can be infiltrated by hackers in a chain attack. provisioning, in which hackers sabotage an application at its source in an attempt to target a user’s network. And without access to the app’s underlying code, those changes may be undetectable to both administrators and any monitoring systems used by Slack or Microsoft.
