Slack’s and Team’s Lax App Security is making noise

A new study by researchers at the University of Wisconsin-Madison points to troubling gaps in the third-party app security model of both Slack and Teams, ranging from a lack of review of the app’s code to default settings that allow any user to install an app for an entire workspace. And while Slack and Teams apps are at least limited by the permissions they seek approval for upon installation, the study’s examination of these security measures found that hundreds of apps’ permissions would still allow them to potentially post messages as users, hijack the functionality of other legitimate apps, or even, in a handful of cases, access to content in private channels when no such permission was given.

“Slack and Teams become clearinghouses for all of an organization’s sensitive resources,” says Earlence Fernandes, one of the researchers on the study who now works as a professor of computer science at the University of California in San Diego, and who presented the research. last month at the USENIX Security conference. “And yet the apps that run on them, which provide a lot of collaboration functionality, may violate any expectation of security and privacy users would have in such a platform.”

When WIRED contacted Slack and Microsoft about the researchers’ findings, Microsoft declined to comment until they could speak with the researchers. (The researchers say they communicated with Microsoft about their findings before publication.) Slack, for its part, says that a collection of approved apps available in the Slack App Directory receive security assessments before inclusion and are monitored for suspicious behavior. It “strongly recommends” that users only install these approved apps and that administrators configure their workspaces so that users can only install apps with administrator permission. “We take privacy and security very seriously,” the company said in a statement, “and we’re working to ensure that the Slack platform is a trusted environment for building and deploying apps, and that those apps are enterprise-grade from day one.”

But both Slack and Teams still have fundamental problems in their assessment of third-party apps, the researchers claim. They both allow the integration of apps hosted on the app developer’s own servers without review of the app’s actual code by Slack or Microsoft engineers. Even the apps considered for inclusion in Slack’s app directory undergo only a more cursory check of the apps’ functionality to see if they work as described, check elements of their security configuration such as the use of encryption, and run automated app scans that check their interfaces for vulnerabilities.

Despite Slack’s own recommendations, by default both collaboration platforms allow any user to add these independently hosted apps to a workspace. An organization’s administrators can turn on stricter security settings that require administrators to approve apps before they are installed. But even then, these administrators have to approve or deny apps without having any ability to control their code themselves, and crucially, the app’s code can change at any time, turning a seemingly legitimate app into a malicious app. This means that attacks can take the form of malicious apps masquerading as innocent, or truly legitimate apps can be compromised by hackers in a supply chain attack, where hackers sabotage an application at its source in an attempt to target its users’ networks. And without access to the apps’ underlying code, these changes can be undetectable to both administrators and any monitoring system used by Slack or Microsoft.