Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Tuesday December 17 2019, @04:12PM   Printer-friendly
from the give-that-back! dept.

Your workmates might still be reading that 'unshared' Slack document

Security researchers have uncovered a flaw in messaging app Slack that allows a file shared in a private channel to be viewed by anyone in that workspace – even guests.

Folk from Israeli cloud security outfit Polyrize uncovered the vuln, that they say exposes files shared through the IRC-for-millennials application, which boasts millions of users.

"If you share your file once, even if you later unshare it, that file can still be exposed to other people, without any indication to you," said Polyrize, adding that the vuln includes the viewing of files through API queries.

It works through Slack's implementation of file-sharing. Posts on a Slack workspace can be in a public channel, or conversation, where anyone with an account on that workspace can join and view messages and files, or a private conversation (invite-only). Files are shared with conversations which can have one or more participants; if you're in a conversation where a private file is shared, you can view it. Should you leave that private conversation, you can't view files from within it.

That's how it's meant to work, anyway. According to Polyrize, however, if someone in a private conversation shares a file from it to a different conversation, that bypasses the controls.

"Due to the fact that Slack users can only be aware of private conversations that they are members of, file owners have no way to tell that their files were shared in other private conversations," Polyrize told The Register.

There is an "Unshare" button, but once a file (a "Snippet" or "Post") has been shared with someone else, you have no ability to control copying of an already-shared file to different channel. Further, there is no way to track which files are being re-shared.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 4, Insightful) by Common Joe on Tuesday December 17 2019, @05:05PM (2 children)

    by Common Joe (33) <{common.joe.0101} {at} {gmail.com}> on Tuesday December 17 2019, @05:05PM (#933329) Journal

    I think I'm inclined to agree with AC on this. The whole point of these kinds of chat apps is to decentralize. And, in my experience, as soon as IT says "well, that is a problem", most people (who are not security conscious) think IT is being over bearing as soon as they want to centralize something -- no matter whether that is on premises or in the cloud.

    It's not to say that IT is never overbearing. I've seen my fair share of blood and first born requirements with at least two months waiting period before you get access to a file you need daily... and then access is revoked at the end of the day, so you need to fill out multiple access requests.

    We aren't finding a correct balance. Which is a real travesty considering it's the end of 2019 and we've been using computers in business for almost two generations. We can't be bothered with the fine print. It's too much effort. 19 out of 20 times, we won't get bitten. And when we do get bitten, we're never sure how hard we'll get bitten, so it's probably not too bad. Until it's horrific. And if we do read the fine print, the fine print will just change tomorrow.

    Starting Score:    1  point
    Moderation   +2  
       Insightful=1, Interesting=1, Total=2
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   4  
  • (Score: 2, Insightful) by Anonymous Coward on Tuesday December 17 2019, @06:41PM (1 child)

    by Anonymous Coward on Tuesday December 17 2019, @06:41PM (#933352)

    A lot of times it's quite hard to prevent people from doing the wrong stuff while allowing them to do the right stuff. What is more doable is tracking who did what.

    Give people the power but make them accountable.

    For example, instead of a proxy server that blocks access to tons of stuff, just have it block obviously bad sites and then log everything and automatically post the top 100 URLs and users etc, and give advance warning to everyone that this will be done after a certain date. Of course you secretly make exceptions for the CxOs and VVIPs etc (who are more likely to be the ones who browse porn at work the most). They're still logged but they don't appear on that public list ;).

    • (Score: 0) by Anonymous Coward on Tuesday December 17 2019, @10:14PM

      by Anonymous Coward on Tuesday December 17 2019, @10:14PM (#933454)

      "They're still logged but they don't appear on that public list ;)."

      Reading between the lines, you use their browsing habits to blackmail them (into given you a raise)?