Researchers Discover a Severe Privacy Flaw in the Slack App

• Researchers discovered that it’s possible to share private files with other users on Slack.
• The original creator/uploader wouldn’t know about it, which is a breach of their privacy.
• The issue only applies to Snippets and Posts, so all other file types are safe to share there.

According to the security firm “Polyrize”, the Slack app is plagued by a privacy vulnerability that enables anyone to access files that have been shared in private channels. As they describe, if a user shares a file with someone privately, and even if they delete it from that channel, users who get access to that workspace even if that happens at a later stage will still be able to see and access the shared file, as well as to share it with others on different channels. This applies to guest users too, who are supposedly limited to a very specific context.

The problem lies on the Slack’s implementation of the file-sharing system, and how viewing the files through API queries is possible. Slack intended to keep the file-sharing specific to each conversation, but there seems to be a problem when someone from one private conversation shares a file from it to another private conversation. This bypasses the security limitations, as Slack developers haven’t thought of this scenario apparently. To make matters worse, the original uploader of the private file has no indication or any way of knowing that their file has been shared on another private conversation, which is a huge privacy breach problem. The following video demonstrates how it’s done.

In response to the publication of this issue, a representative of the popular communication application has stated that this problematic behavior only applies to Snippets and Posts, so any other file types are perfectly safe to share on the platform. Of course, they are still planning to take care of the discovered problem and push an update that fixes it. If you are using Slack in a sensitive corporate environment, make sure that you apply all of the available updates that land in the following days, and that you’re not sharing Posts and Snippets containing sensitive information in private channels.

Slack is a trendy and convenient communication tool, but it’s far from perfect when it comes to privacy and security. Back in July, the platform proceeded to reset the passwords of 1% of its userbase, and earlier in the year, the company’s boss openly warned investors that severe security risks cannot be taken out of the picture. Moreover, the numerous third-party integrations of Slack create a field where no one knows what’s going on anymore.

Do you trust Slack for your communications or do you prefer a different app? Let us know where you stand in the comments down below, or join the discussion on our socials, on Facebook and Twitter.