Cybersecurity researchers from eSentire have discovered a glitch in how Slack renders Wikipedia articles that could be abused to trick users into opening malware-laden websites.
In popular messaging apps, including Slack, when a user forgets to add a space between a full stop and the first letter of the next sentence, the app will perceive it as a domain, and render the link accordingly. Typing “face.book me for…,” for instance, will become http://face.book.
Now, if a malicious user edits a Wikipedia article at the right place and adds a reference footnote, they can trick Slack into rendering a link that doesn’t exist in the article. That link can later be edited to redirect the victim to a malicious website.
A lot of due diligence required
From that point on, all it takes is a little creativity to get the victim to click on the link in the preview of the otherwise benign Wikipedia link to be served malware.
This isn’t that uncommon on Wikipedia, either. The researchers have found more than 1,000 examples of pages where the reference footnote was added to the exact location to get the Slack preview pane to generate a link.
The same method works on other websites, too, like Medium, for example. However, the researchers have focused on Wikipedia because they believe it to be an authoritative, trusted source (although that’s debatable).
Obviously, to make it work, the attackers will first need to make sure that the victim has Slack, then join their workspace (possibly via a compromised account), and share a link that the victim will find interesting to lure them in.
Given the success of phishing attacks, it certainly wouldn’t be surprising to see this kind of attack being attempted. Slack has also had some other security concerns recently, such as its rather lax approach to accepting third-party app integration.
