Third-party app vulnerabilities in Slack and Teams exposed in study

A new study claims that Slack and Teams have gaping potential security flaws in the access control given to third-party apps on the platforms.

Researchers from the University of Wisconsin Madison found that the work productivity apps expose user information to third-party apps through software agreements for API interfaces most users never read. Those agreements allow third-party apps to, in theory, post for the user and read and access most, if not all, of their information.

Paper author Professor Earlence Fernandes told IT Brew that because the third-party apps are not hosted on the platform—unlike those on iOS or Android, for example—they’re near impossible for the company to verify “the code of the app that is interacting with a person’s Slack or Teams environment.”

Fernandes said that Slack and Teams need to do more to manage the problems found in the group’s research, though there’s no evidence as yet that the vulnerabilities have been exploited by bad actors. And the separation between the platform and the third-party apps makes fixes prohibitively time consuming.

“In the general sense, their responsibility would be to ensure that this kind of behavior does not happen,” Fernandes said. “But on the ground, in reality, this is a difficult problem to solve.”

Bug bounty. The vulnerabilities exposed by the paper include the capability for third-party apps to read messages sent in private channels that they are not given access to. That revelation earned the paper authors a mid-level bug bounty from Slack, Fernandes said.

While the research has unearthed some unsettling vulnerabilities, it should be taken with a grain of salt, cautioned Brian Donohue, principal security specialist at cyber-threat detection service provider Red Canary. In order for bad actors to infiltrate systems and cause problems, they’d have to get in through the apps and then use that access for ill.

“Your adversary would have to have that level of administrative access to kind of perform some of the nastiest stuff that they’re talking about in this research,” Donohue said. “That said, a lot of organizations allow a lot of sensitive information to be passed into their Slack and Teams workspaces through these API integrations that this research focuses on.”

Trusting the process. Microsoft declined to comment for this story.

In an email, Slack’s senior communications manager, Danielle Adams, told IT Brew that the report was warning of outcomes which were “highly unlikely to happen, as they would require a cascade of actions from multiple parties (i.e., Slack did not review an app, a user installed an unknown app not in our directory, and an organization did not have any admin controls in place).”

When the research team talked to Microsoft and Slack, Fernandes said, the companies told them that the processes put in place to recommend apps and give control to individual platform administrators were sufficient.

But administrators vary depending on the workspace. For some spaces, a full IT team can administrate, others may be run by a single dedicated IT professional, others still may simply be run by one member of the company’s workforce.

“They were of the opinion that installing apps into this environment should be done with care, and should only be done through the official app directory—where they claim that the apps are somehow more secure than the apps not in there,” Fernandes told IT Brew. “They also claim that the workspace is a trusted environment, according to them, and that the administrator is going to make correct decisions all the time.”—EH

Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @EoinHiggins_ on Twitter.