Slack and Microsoft Teams Are Worryingly Hackable – Tech.co

Slack and Microsoft Teams Are Worryingly Hackable – Tech.co

Slack and Microsoft Teams Are Worryingly Hackable – Tech.co 0 0 Alan Dickson

Security researchers have revealed a number of concerning security flaws in popular business communications apps Slack and Microsoft Teams. 
Along with project management software tools, the use of business communications apps became widespread during the pandemic and is now a permanent fixture of millions of people’s hybrid working arrangements. 
The sheer number of users – as well as the companies – that both of these apps cater to make the findings all the more worrying. 
The study, produced by researchers at the University of Wisconsin-Madison has identified a number of potentially catastrophic gaps in both Slack and Teams’ security models.
Verifying
Sign up for Tech.co’s weekly newsletter
The researchers found that the “access control model in these systems violates two fundamental security principles: least privilege and complete mediation.”
These issues could, in theory, allow “a malicious app to exploit the confidentiality and integrity of user messages and third-party resources connected to the platform.”
“Compared to iOS or Android, I would say their security model is at least five to six years behind,” – Yunang Chen, University of Wisconsin.
The researchers were able to orchestrate three “proof-of-concept” attacks, the first being the ability to eavesdrop on messages sent by users without permission to do so.
The researchers also managed to launch fake video calls, and automatically merge code into repositories without any user involvement or approval. This last vulnerability is perhaps the most concerning, as this would let any user install a third-party app for an entire workspace.
With such security flaws surrounding third-party applications, you’d expect both Slack and Microsoft Teams to have stringent vetting processes for plug-ins, add-ons, and integrations.
However, this couldn’t be farther from the truth. Both platforms, for instance, allow integration with a given app’s servers without a review from either company’s Tech development teams.
Reviews that do take place, the study finds, are cursory and inadequate. And, as aforementioned, a user doesn’t have to have a particularly privileged account to add this to the entire workspace.
The global reach of both these applications makes the new findings all the more concerning.
This isn’t just any small-scale project management software app or CRM system – Microsoft Teams alone has 270 million users, a huge proportion of the business world and a massive attack surface.
Whilst Slack’s userbase is smaller, its usage among some of the most prestigious and trusted companies in the world – nearly 80% of Fortune 100 companies use the platform.
But it’s also the sheer volume of sensitive data held within them.
“Slack and Teams are becoming clearinghouses of all of an organization’s sensitive resources,” Earlence Fernandes, another one of the study’s authors, said at a recent security conference.
“And yet, the apps running on them, which provide a lot of collaboration functionality, can violate any expectation of security and privacy users would have in such a platform.”
The research is bound to alarm many users of these platforms, especially given their huge rise in popularity during the pandemic.
Findings like these demand an immediate revisit of Microsoft and Slack’s app vetting procedures – given how many users rely on them on a daily basis.
Verifying
We’re sorry this article didn’t help you today – we welcome feedback, so if there’s any way you feel we could improve our content, please email us at contact@tech.co
Aaron Drapkin is a Senior Writer at Tech.co. He has been researching and writing about technology, politics, and society in print and online publications since graduating with a Philosophy degree from the University of Bristol three years ago. As a writer, Aaron takes a special interest in VPNs and project management software. He has been quoted in the Daily Mirror, Daily Express, The Daily Mail, Computer Weekly, and the Silicon Republic speaking on various privacy and cybersecurity issues, and has articles published in Wired, Vice, Metro, The Week, and Politics.co.uk covering a wide range of topics.
Zoho offers some of the best tools for businesses to grow…
The US Treasury Department will allow tech firms to…
Aircove offers impressive wireless speeds of 1,200 Mbps —…
The bug, which may have comprised the privacy of some…
© Copyright 2022

source

    Would you like to receive notifications on latest updates? No Yes