Collaboration apps like Slack and Microsoft Teams have become the connective tissue of the modern workplace, uniting users with everything from messaging to scheduling to video conferencing tools. But as Slack and Teams become full-fledged, app-enabled corporate productivity operating systems, a group of researchers has pointed to serious risks in exposing them to third-party programs, even as more organizations rely on them. ‘sensitive data than ever before.
A new study by researchers at the University of Wisconsin-Madison points to worrying gaps in the third-party app security model of both Slack and Teams, ranging from a lack of app code review to default settings that allow any user install an application for an entire workspace. And while the Slack and Teams apps are at least limited by permissions for those seeking approval at install time, the study’s survey of those security measures found that hundreds of apps’ permissions would nonetheless allow them to post messages as users, hijack the functionality of other legitimate apps, or even, in a handful of cases, access content on private channels when permission was not granted.
“Slack and Teams are becoming clearinghouses for all of an organization’s sensitive resources,” says Earlence Fernandes, one of the study’s researchers who now works as a professor of computer science at the University of California, San Diego, and who presented the investigation. last month at the USENIX security conference. “And yet the applications running on them, which provide a wealth of collaboration features, can violate any expectation of security and privacy that users would have on such a platform.”
When WIRED contacted Slack and Microsoft about the researchers’ findings, Microsoft declined to comment until it could speak with the researchers. (The researchers say they contacted Microsoft about their findings before publication.) Slack, for its part, says that a collection of approved apps that is available in its Slack App Directory receive security reviews before inclusion and are monitored for any suspicious behavior. . “Strongly recommends” that users install only these approved apps, and that admins configure their workspaces to allow users to install apps only with an admin’s permission. “We take privacy and security very seriously,” the company says in a statement, “and we work to ensure that the Slack platform is a trusted environment for building and distributing apps, and that those apps are enterprise-grade from the get-go.” day”.
However, both Slack and Teams have fundamental problems in their investigation of third-party apps, the researchers argue. Both allow the integration of apps hosted on the app developer’s own servers without Slack or Microsoft engineers reviewing the actual code of the apps. Even apps reviewed for inclusion in the Slack App Directory undergo only a more cursory check of the apps’ functionality to see if they work as described, check elements of their security settings, such as the use of encryption, and run automatic application scans that check their interfaces for vulnerabilities.
Despite Slack’s own recommendations, both collaboration platforms by default allow any user to add these independently hosted apps to a workspace. Administrators in an organization can turn on stricter security settings that require administrators to approve apps before installing them. But even then, those administrators must approve or deny apps without having the ability to examine their code, and more importantly, the code in apps can change at any time, allowing a seemingly legitimate app to become a malicious app. That means attacks can take the form of malicious apps masquerading as innocents, or truly legitimate apps can be compromised by hackers in a supply chain attack, in which hackers sabotage an app at its source in a effort to attack the networks of its users. And without access to the underlying code of applications, those changes could be undetectable by both administrators and any monitoring systems used by Slack or Microsoft.