Saturday, October 1, 2022
Home TECH Slack and Teams Lax app security raises alarms

Slack and Teams Lax app security raises alarms

Collaboration apps like Slack and Microsoft Teams have become the connective tissue of the modern workplace, uniting users with everything from messaging to scheduling to video conferencing tools. But as Slack and Teams become full-fledged, app-enabled corporate productivity operating systems, a group of researchers has pointed to serious risks in exposing them to third-party programs, even as more organizations rely on them. ‘sensitive data than ever before.

A new study by researchers at the University of Wisconsin-Madison points to worrying gaps in the third-party app security model of both Slack and Teams, ranging from a lack of app code review to default settings that allow any user install an application for an entire workspace. And while the Slack and Teams apps are at least limited by permissions for those seeking approval at install time, the study’s survey of those security measures found that hundreds of apps’ permissions would nonetheless allow them to post messages as users, hijack the functionality of other legitimate apps, or even, in a handful of cases, access content on private channels when permission was not granted.

“Slack and Teams are becoming clearinghouses for all of an organization’s sensitive resources,” says Earlence Fernandes, one of the study’s researchers who now works as a professor of computer science at the University of California, San Diego, and who presented the investigation. last month at the USENIX security conference. “And yet the applications running on them, which provide a wealth of collaboration features, can violate any expectation of security and privacy that users would have on such a platform.”

When WIRED contacted Slack and Microsoft about the researchers’ findings, Microsoft declined to comment until it could speak with the researchers. (The researchers say they contacted Microsoft about their findings before publication.) Slack, for its part, says that a collection of approved apps that is available in its Slack App Directory receive security reviews before inclusion and are monitored for any suspicious behavior. . “Strongly recommends” that users install only these approved apps, and that admins configure their workspaces to allow users to install apps only with an admin’s permission. “We take privacy and security very seriously,” the company says in a statement, “and we work to ensure that the Slack platform is a trusted environment for building and distributing apps, and that those apps are enterprise-grade from the get-go.” day”.

However, both Slack and Teams have fundamental problems in their investigation of third-party apps, the researchers argue. Both allow the integration of apps hosted on the app developer’s own servers without Slack or Microsoft engineers reviewing the actual code of the apps. Even apps reviewed for inclusion in the Slack App Directory undergo only a more cursory check of the apps’ functionality to see if they work as described, check elements of their security settings, such as the use of encryption, and run automatic application scans that check their interfaces for vulnerabilities.

Despite Slack’s own recommendations, both collaboration platforms by default allow any user to add these independently hosted apps to a workspace. Administrators in an organization can turn on stricter security settings that require administrators to approve apps before installing them. But even then, those administrators must approve or deny apps without having the ability to examine their code, and more importantly, the code in apps can change at any time, allowing a seemingly legitimate app to become a malicious app. That means attacks can take the form of malicious apps masquerading as innocents, or truly legitimate apps can be compromised by hackers in a supply chain attack, in which hackers sabotage an app at its source in a effort to attack the networks of its users. And without access to the underlying code of applications, those changes could be undetectable by both administrators and any monitoring systems used by Slack or Microsoft.

RELATED ARTICLES

Bot hunting is all about vibes

Christopher Bouzy is trying to stay ahead of the bots. As the person behind Bot Sentinel, a popular bot detection system, he and...

10 Best Thrillers on Hulu 2022

Looking for a chill down the spine? Longing for an adrenaline rush? Desperate for a blush on your cheeks? All you...

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -

Most Popular

US News honors top hospitals at Washington ceremony

US News & World Report has been ranking hospitals based on their excellence in various medical specialties for 26 years, but on Tuesday the...

Freedom of expression is the most fundamental American value

This is the text of a speech Judge Silberman delivered on September 2 at Dartmouth College, his undergraduate alma mater.This is a Constitution Day...