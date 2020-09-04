Slack Desktop App Vulnerability – Expert Source

Collaboration company Slack disclosed a Remote Code Execution (RCE) flaw on August 31st, 2020, affecting users of its Windows, Mac OS, and Linux desktop application versions. Users that click on an HTML injected image are redirected to an attacker’s server where a malicious JavaScript payload is executed within the Slack application on the user’s local machine, which could gain an attacker access to any sensitive data held within the Slack application. This vulnerability was initially reported by a security researcher through HackerOne in January, patched by Slack in February but went undisclosed until recently. It is recommended that all users of the Slack desktop application use version 4.4 or greater.

EXPERTS COMMENTS
Mieng Lim, VP of Product Management,  Digital Defense, Inc.
September 04, 2020
It’s important to ensure users know how to segregate corporate use from personal and verify all clients are up-to-date.
A remote code execution of this type could easily make its way into a corporate environment. With the increased utilization and reliance on collaboration and communications platforms, such as Slack to support remote working and its popularity for social use, it’s important to ensure users know how to segregate corporate use from personal and verify all clients are up-to-date. ....
