Slack and Teams Lax app security raises alarms


Collaboration apps like Slack and Microsoft Teams have become the connective tissue of the modern workplace, connecting users to everything from messaging to scheduling to video conferencing tools. But as Slack and Teams become full-fledged, app-enabled enterprise productivity operating systems, a group of researchers have pointed to serious risks in what they expose to third-party programs, while making trust more organizations. ‘ sensitive data than ever before.

A new study by researchers at the University of Wisconsin-Madison points to troubling gaps in Slack and Teams’ third-party app security model, which range from a lack of app code reviews to default settings that allow any user to install an application for an entire workspace. And while Slack and Teams apps are at least limited by the permissions they ask for approval for when installing, the study’s investigation of those safeguards found that the permissions of hundreds of apps would still allow them potentially posting messages as a user, hijacking the functionality of other legitimate apps, or even, in a few cases, accessing content from private channels when no such permissions have been granted.

“Slack and Teams are becoming clearinghouses for all of an organization’s sensitive resources,” says Earlence Fernandes, one of the study’s researchers who now works as a professor of computer science at the University of California, San Francisco. Diego, and who presented the research. last month at the USENIX Security Conference. “And yet the applications running on it, which provide extensive collaboration features, may violate all user expectations of security and privacy on such a platform.”

When WIRED contacted Slack and Microsoft about the researchers’ findings, Microsoft declined to comment until it could speak to the researchers. (The researchers say they communicated with Microsoft about their findings before publication.) Slack, for its part, says that a collection of approved apps that is available in its Slack App Directory receives security reviews before publication. inclusion and is monitored for suspicious behavior. . It “strongly recommends” that users install only those approved apps and that administrators configure their workspaces to allow users to install apps only with an administrator’s permission. “We take privacy and security very seriously,” the company said in a statement, “and strive to ensure that the Slack platform is a trusted environment for building and distributing apps, and that those apps are professional quality from day one.

But Slack and Teams still have fundamental problems in their verification of third-party apps, researchers say. They both allow the integration of apps hosted on the app developer’s own servers without reviewing the actual app code by Slack or Microsoft engineers. Even apps reviewed for inclusion in Slack’s app directory only undergo a more cursory check of the apps’ functionality to see if they work as described, check things in their security setup such as their use of encryption and run automated application scans that check their interfaces for vulnerabilities.

Despite Slack’s own recommendations, by default both collaboration platforms allow any user to add these independently hosted apps to a workspace. Organization administrators can enable stricter security settings that require administrators to approve apps before they are installed. But even then, these admins have to approve or deny apps without having the ability to review their code themselves, and most importantly, app code can change at any time, allowing a seemingly legitimate app to go rogue. This means attacks can take the form of malicious apps disguised as innocent apps, or truly legitimate apps can be compromised by hackers in a supply chain attack, in which hackers sabotage an app at its source in order to target the networks of its users. And without access to the applications’ underlying code, these changes could be undetectable to administrators and any monitoring system used by Slack or Microsoft.


Comments are closed.