Last Modified: Wed, 20 Mar 2019 15:28:59 +0000 ; Created: Wed, 20 Mar 2019 12:00:00 +0000
|Slack is a messaging platform with channels for communication. One feature includes an announcement-only channel for communication to users. Only authorized users may post content to these channels as per:
Create an announcement-only channel, get.slack.help, Feb 21, 2019.
The official Slack documentation states:
By limiting who can post, announcement-only channels are a great way to broadcast information to everyone in Slack. This type of channel becomes read-only to anyone without permission to post. Instead of the message field, members will see a message like this:
Your Workspace Owners have limited who can post to #announcements-global
However, I found a way for unauthorized users to bypass this restriction via the use of commonly added third party applications. One example is via the Simple Poll app.
This was just one example app. Many other apps could be used as well to do the same. The issue lies in that Slack at its core does not prevent apps from making this unauthorized post to an announcement-only channel and bypassing this security control.
Slack should not trust third party apps to restrict who can post to an announcement-only channel. Doing so at present will require uninstalling many third party apps used by customers to prevent this vulnerability.
In this case #general was locked down because everyone was in it and kept posting @here comments that annoyed people. An attacker, however, could post a phishing message with a malicious link to a channel such as #general which all employees would see in their Slack.
A Workspace Owners/org admin must monitor the channel and delete unauthorized posts to mitigate.
An attacker can also quickly delete the Poll post to minimize the chance of a legit admin seeing the post and determining who was phished.
Vendor ResponseThe vendor states that these security bugs must be addressed in the third party apps themselves.