Your workmates might still be reading that 'unshared' Slack document
Security researchers have uncovered a flaw in messaging app Slack that allows a file shared in a private channel to be viewed by anyone in that workspace – even guests.
Folk from Israeli cloud security outfit Polyrize uncovered the vuln, that they say exposes files shared through the IRC-for-millennials application, which boasts millions of users.
"If you share your file once, even if you later unshare it, that file can still be exposed to other people, without any indication to you," said Polyrize, adding that the vuln includes the viewing of files through API queries.
It works through Slack's implementation of file-sharing. Posts on a Slack workspace can be in a public channel, or conversation, where anyone with an account on that workspace can join and view messages and files, or a private conversation (invite-only). Files are shared with conversations which can have one or more participants; if you're in a conversation where a private file is shared, you can view it. Should you leave that private conversation, you can't view files from within it.
That's how it's meant to work, anyway. According to Polyrize, however, if someone in a private conversation shares a file from it to a different conversation, that bypasses the controls.
"Due to the fact that Slack users can only be aware of private conversations that they are members of, file owners have no way to tell that their files were shared in other private conversations," Polyrize told The Register.
There is an "Unshare" button, but once a file (a "Snippet" or "Post") has been shared with someone else, you have no ability to control copying of an already-shared file to different channel. Further, there is no way to track which files are being re-shared.
(Score: -1, Troll) by Anonymous Coward on Tuesday December 17 2019, @06:12PM
They exposed a backdoor and now ask people to use (((their))) secure messaging program. It is like there are no backdoors already in Intel processors for the last two decades or so. And the software developers (indian niggers) were asked to write the slowest code possible using security as their main theme, slow/managed code for the sake of security, while backdoors for the sake of the security. Sounds like the sick mind of a khazar rat.