Researchers at AT&T Alien Labs, the threat intelligence arm of AT&T Cybersecurity, have discovered a vulnerability in popular work collaboration platform Slack.
Slack is a popular cloud-based messaging platform that is commonly used in workplace communication, with Slack Incoming Webhooks allowing users to post messages from applications to Slack. By specifying a unique URL, the message body, and a destination channel, users can send a message to any webhook using the URL for any workspace.
In this instance researchers at AT&T Alien Labs noticed some functionality in the Slack platform that could be used to launch novel Phishing campaigns whilst creating webhooks for an internal tool.
Slack webhooks were previously considered a low security risk integration but according to AT&T Alien Labs researchers, attackers could simply find a leaked Slack webhook online and send a malicious app to a Slack channel where users would install it. This flaw could lead to malicious actors hijacking incoming webhooks in phishing attacks.
Ashley Graves, Cloud Security Researcher at AT&T Alien Labs, a part of AT&T Cybersecurity, wrote a blog documenting the finding and said: “First, a channel override allows you to override the previously specified webhook target channel by adding the “channel” key to your JSON payload. If you gain access to a webhook for one channel, you can use it in others.
“Slack documentation suggests that allowed target channels are based on the original creator of the webhook…so if you can find a webhook created by an admin – congrats, you can post to admin channels!”
According to Javvad Malik, Security Awareness Advocate at KnowBe4: “This is an interesting attack vector against Slack which is among the few popular messaging tools used in organisations. The concerning aspect about this is that people tend to lower their guard when receiving links on messaging platforms, and in particular when on mobile devices.
All this combined can lead to a great increase in the likelihood of a spearphishing attack being successful. It is why employees need to be wary of phishing attacks not just from email, but all social media platforms. In addition, organisations should have threat detection and response controls in place so that in the event an employee does fall victim to a phishing attack, it can be quickly identified and remediated before becoming a widespread incident.”
Link to original blog explaining AT&T’s findings: https://cybersecurity.att.com/blogs/labs-research/slack-phishing-attacks-using-webhooks