Your workmates might still be reading that 'unshared' Slack document
Security researchers have uncovered a flaw in messaging app Slack that allows a file shared in a private channel to be viewed by anyone in that workspace – even guests.
Folk from Israeli cloud security outfit Polyrize uncovered the vuln, that they say exposes files shared through the IRC-for-millennials application, which boasts millions of users.
"If you share your file once, even if you later unshare it, that file can still be exposed to other people, without any indication to you," said Polyrize, adding that the vuln includes the viewing of files through API queries.
It works through Slack's implementation of file-sharing. Posts on a Slack workspace can be in a public channel, or conversation, where anyone with an account on that workspace can join and view messages and files, or a private conversation (invite-only). Files are shared with conversations which can have one or more participants; if you're in a conversation where a private file is shared, you can view it. Should you leave that private conversation, you can't view files from within it.
That's how it's meant to work, anyway. According to Polyrize, however, if someone in a private conversation shares a file from it to a different conversation, that bypasses the controls.
"Due to the fact that Slack users can only be aware of private conversations that they are members of, file owners have no way to tell that their files were shared in other private conversations," Polyrize told The Register.
There is an "Unshare" button, but once a file (a "Snippet" or "Post") has been shared with someone else, you have no ability to control copying of an already-shared file to different channel. Further, there is no way to track which files are being re-shared.
(Score: 2) by takyon on Tuesday December 17 2019, @06:09PM (4 children)
https://soylentnews.org/article.pl?sid=16/01/03/0247218 [soylentnews.org]
https://soylentnews.org/article.pl?sid=17/05/13/223235 [soylentnews.org]
https://soylentnews.org/article.pl?sid=18/03/06/0428239 [soylentnews.org]
https://soylentnews.org/article.pl?sid=19/11/12/2320231 [soylentnews.org]
Not new.
I have definitely used it and I will be using it more going forward (along with "boffins").
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 3, Informative) by aristarchus on Tuesday December 17 2019, @07:35PM (1 child)
I thought it was short for "Vulncan", like Spock.
(Score: 2) by c0lo on Tuesday December 17 2019, @08:32PM
Umm... I don't flloow your logic on this. (grin)
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by captain normal on Tuesday December 17 2019, @09:20PM
Obviously it goes all the way back to 2016. That's like forever in Millennial years, don't'cha'no. :-))
When life isn't going right, go left.
(Score: 2) by NotSanguine on Wednesday December 18 2019, @01:08AM
I always liked "punters" myself. Oh, and telling folks "Quick as you like, matey!"
Anglicisms FTW!*
*The irony there being that "FTW" *used* to mean "Fuck The World" or "Fight The Whites." Talk about cultural appropriation! :)
No, no, you're not thinking; you're just being logical. --Niels Bohr