AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
Slack download folder windows1/22/2023 Once clicked, all future downloads would be dropped onto the attacker's SMB server. That path could be directed to a Server Message Block (SMB) file-sharing location controlled by the attacker. By creating a crafted link posted in a Slack channel, the attacker could alter the default settings of the client-changing the download directory, for example, to a new location with a URL such as “slack://settings/?update=”. The potential attack used a weakness in the way the "slack://" protocol handler was implemented in the Windows application. Slack has issued an update to the Windows desktop client that closes the vulnerability. Tenable reported the vulnerability to Slack via HackerOne. When victims opened the files, they would get a potentially nasty surprise. This would allow the attacker to not only steal the files that were downloaded by a targeted user, but also allow the attacker to alter the files and add malware to them. The vulnerability, in Slack Desktop version 3.3.7 for Windows, could have been used to change the destination of a file download from a Slack conversation to a remote file share owned by an attacker. On May 17, researchers at Tenable revealed that they had discovered a vulnerability in the Windows version of the desktop application for Slack, the widely used collaboration service.
0 Comments
Read More
Leave a Reply. |