Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Tuesday December 17 2019, @04:12PM   Printer-friendly
from the give-that-back! dept.

Your workmates might still be reading that 'unshared' Slack document

Security researchers have uncovered a flaw in messaging app Slack that allows a file shared in a private channel to be viewed by anyone in that workspace – even guests.

Folk from Israeli cloud security outfit Polyrize uncovered the vuln, that they say exposes files shared through the IRC-for-millennials application, which boasts millions of users.

"If you share your file once, even if you later unshare it, that file can still be exposed to other people, without any indication to you," said Polyrize, adding that the vuln includes the viewing of files through API queries.

It works through Slack's implementation of file-sharing. Posts on a Slack workspace can be in a public channel, or conversation, where anyone with an account on that workspace can join and view messages and files, or a private conversation (invite-only). Files are shared with conversations which can have one or more participants; if you're in a conversation where a private file is shared, you can view it. Should you leave that private conversation, you can't view files from within it.

That's how it's meant to work, anyway. According to Polyrize, however, if someone in a private conversation shares a file from it to a different conversation, that bypasses the controls.

"Due to the fact that Slack users can only be aware of private conversations that they are members of, file owners have no way to tell that their files were shared in other private conversations," Polyrize told The Register.

There is an "Unshare" button, but once a file (a "Snippet" or "Post") has been shared with someone else, you have no ability to control copying of an already-shared file to different channel. Further, there is no way to track which files are being re-shared.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by captain normal on Tuesday December 17 2019, @09:20PM

    by captain normal (2205) on Tuesday December 17 2019, @09:20PM (#933415)

    Obviously it goes all the way back to 2016. That's like forever in Millennial years, don't'cha'no. :-))

    --
    When life isn't going right, go left.
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2