Beyond Zoom: How Safe Are Slack and Other Collaboration Apps?

COVID-19’s effect on work footprints has created an unprecedented challenge for IT and security staff. Many departments are scrambling to enable collaboration apps for all — but without proper security they can be a big risk.

As the coronavirus pandemic continues to worsen, remote-collaboration platforms – now fixtures in many workers’ “new normal” – are facing more scrutiny. Popular video-conferencing app Zoom may currently be in the cybersecurity hot seat, but other collaboration tools, such as Slack, Trello, WebEx and Microsoft Teams, are certainly not immune from cybercriminal attention.

For organizations leaning on these platforms, security should be top of mind. A failure to lock down Slack et al could lead to data breaches, brand damage, malware infestations and more. Researchers say that attackers are hard at work looking for new weaknesses to achieve all of the latter. Fortunately though, best practices can go a long way to shrinking the risk.

Collaboration App Security Bugs: Not Hypothetical

The risk posed by collaboration platforms is far from hypothetical. In March, for example a critical vulnerability was found in Slack, which could allow automated account takeovers (ATOs) and lead to data breaches.

According to a HackerOne bug-bounty report, a HTTP Request Smuggling bug, in a proof-of-concept, was used to force open-redirects within Slack, leading users to a rogue client outfitted with Slack domain cookies. When victims attached to the malicious client, their session cookies could be harvested and later used to take over accounts. The attack could also be automated.

“Automated account takeover attacks, like Slack just had to deal with, are pervasive,” said Jason Kent, hacker-in-residence at Cequence, in an interview. “We see these takeover attempts all the time. The attackers learn a login or password recovery workflow and start the attack on the logins they know are valid. Most of the time these attacks have been automated utilizing bots to take over as many accounts as possible.”

August 21, 2019 San Francisco / USA - Slack Technologies, Inc. sign at their HQ in SOMA district; Slack (its main product) is a cloud-based set of collaboration software tools and online services

Aside from Slack, Cisco WebEx has had its share of security flaws. In March, Cisco patched two high-severity vulnerabilities in the video-conferencing platform, which if exploited could allow an attacker to execute code on affected systems. And earlier in the year, it addressed a bug that would let strangers barge in on password-protected meetings – no authentication necessary — presenting a serious data-exposure concern.

And of course, there’s Zoom – which has gained widespread popularity for personal and work use since stay-at-home orders went into effect across the country. The company has faced an onslaught of security woes in the last two weeks, including a pair of zero-days and various privacy problems.

Attack Vectors: Social Engineering, Credential Stuff… 

Apart from exploiting security bugs, cybercriminals have other attack vectors when it comes to collaboration. Apps like Slack, Microsoft Teams and others have messaging components that can be used for phishing attacks and to deliver malware payloads through links and attachments, just like email.

“External attackers can leverage stolen credentials or conduct brute-force and credential-stuffing attacks to gain access to these platforms,” said Gerrit Lansing, field CTO at Stealthbits, speaking to Threatpost. “They can then compromise the information those credentials provided access to – using it either to complete their mission or for intelligence to attack other targets within the company. They could go so far as to impersonate the employee in conversations, and send malicious attachments to pivot onto an employee’s workstation.”

Collaboration apps are also subject to misconfiguration. Popular online collaboration platform Trello for instance, which is used in corporate settings to organize to-do lists and coordinate team tasks, has a problem in that it is indexed by Google if its boards are set to “public.” And, public boards’ specific contents can also be searched using a special search called a “dork.”

This setting is surprisingly easy to implement by mistake, researchers said – as evidenced by an incident earlier this year at office-space company Regus. In that case, a Trello board exposed the performance ratings of hundreds of Regus staff.

“The Trello incident was due to end users setting their boards to public and not fully realizing how easy it was for someone to search for the public boards,” James McQuiggan, security awareness advocate at KnowBe4, told Threatpost. “The groups that created the boards were posting sensitive information and thus exposing the unnecessary risk to their organization.”

If the company’s collaboration platform enables external communication, it can present yet more opportunities for attackers. For instance, “if an attacker were able to get into a developers’ channel inside a retail organization, they might ‘help’ with a problem and actually inject their own flaws,” Kent explained. “Magecart jumps to mind – a person could simply say, ‘can you add this JavaScript file to the next production drop?'”

Hacker Technology Internet Content Web Concept

Ecosystem Weak Spots

There are ecosystem weaknesses too. For instance, Slack offers a software library containing add-ons that can be installed in just a couple of clicks.

“An attacker could create a Slack add-on that advertises some great features but also reads channel data,” said Matt Gayford, principal consultant at the Crypsis Group. “If an end user mistakenly installs the add-on, they could expose all Slack channels to the attacker.”

In terms of actual attacks, Otavio Freire, CTO and co-founder of SafeGuard Cyber, told Threatpost that coordinated campaigns against corporate instances of collaboration platforms can be difficult to pinpoint, making things challenging for security teams.

“The first step to compromising users’ collaboration accounts might initially look like business email compromise (BEC) or social spear-phishing at first,” he explained.

As an example, he detailed one attack impacting Slack that his company was involved in mitigating.

“Slack’s strength and vulnerability is its connectedness to other apps,” he said. “For one customer, we were brought in because they had an instance where a hiring system was mapped to an HR Slack channel. A resume that was an infected Word doc uploaded to the system, which then pushed a notification to that HR channel, where hundreds of employees opened the document at the same time.”

A Cybercriminal Jackpot of Data

Cybercriminals are taking advantage of all of these attack vectors, researchers said — for the simple reason that collaboration apps provide a rich repository for data that attackers would consider to be a jackpot.

The very term “collaboration” after all means the communication of ideas, concepts and designs between multiple stakeholders. As such, users are putting everything out there, giving a successful attacker unfettered access to potentially very sensitive data, according to Elad Shapira, head of research at Panorays.

“The problem is that many companies’ internal data, customer files, internal systems information, credentials and sensitive information can be found on these collaboration platforms,” he told Threatpost.

“If criminal hackers were to gain access to the platform due to a password-reuse or a credential-stuffing attack, they would have access to the information discussed, files transferred or other sensitive information for the organization,” added McQuiggan. “If end users openly discuss sensitive information or topics relating to the intellectual property of the organization and attackers gain access, they can collect all the information and exfiltrate with a simple copy-and-paste or download of the files, if shared in the application.”

The sheer volume of information being shared on Slack and other platforms – especially in the age of COVID-19 – can be staggering as well.

Digital Eavesdropping and Oversharing 

“There is a lot of data to capture and protect, especially when you include chat messages,” Freire said. “The quantity of chats alone can result in thousands of messages per day…some of our customers are producing 40-70,000 Slack messages per day [and not always work-related]: We’ve heard of HR teams needing to shut down channels where conversations were centered around estimating local coronavirus death tolls. You need a way to surface risks quickly, both in direct messages and in channel discussions.”

It’s worth remembering that information shared in chats like those on Teams and Slack, or via document shares, also can lead to compliance violations and legal exposure. For instance, the sender may unaware of all the channel members and may inadvertently expose confidential information to a wider audience than intended, including to external participants.

“SharePoint offers the ability to share links anonymously, so that a document can be shared with someone outside the organization without logging in,” Crypsis’ Gayford explained. “If an end user shares a link to a sensitive document by mistake, they could end up exposing the company to regulatory penalties and the cost of investigating and notifying those involved in the data leak – all from sharing the wrong link.”

Security Can’t Solve Risky Behavior 

Given the sheer volume of information being exposed on collaboration platforms along with the very real security concerns that exist, security professionals have their hands full as most corporate workforces transition to these kinds of tools. The coronavirus pandemic has forced legions of users onto tools like Slack and others – but existing security measures don’t always stand up to the shift.

“Over the past few weeks, as a result of an unprecedented shift to working from home policies, organizations are finding themselves with little to no security,” said Salah Nassar, vice president of marketing at CipherCloud. “Traditional security measures, of tunneling all the remote users back to headquarters, are not working. For example, many organizations today use on-premises firewalls and proxy solutions to protect cloud apps. This system doesn’t scale – and more importantly, there is a major hole in that architecture. How do you protect data being created in the cloud and shared between clouds if it never touches an endpoint or the network through apps such as Slack, Box, Office 365, etc.?”

One glaring issue is the lack of corporate endpoint security for remote devices.

“If a bad actor is able to compromise a user account, they have powerful access to get behind company defenses,” said SafeGuard Cyber’s Freire. “In the current work-from-home paradigm, this risk is made more real because computers and devices are now at home and do not have all the firewall and network protection found inside the corporate networks.”

Cequence’s Kent added, “These platforms are now running on standard [or personal] equipment that many organizations have trouble keeping patched.”

Best Practices to the Rescue

To shore up a collaboration-app security footprint, applying principles of zero-trust and network segmentation can all go a long way to reducing companies’ risk, according to researchers. And, of course, routine security practices and end-user education should be applied to collaboration platforms in the same way that they’re used with other company services.

On the zero-trust front, security teams need to know and understand and enforce the permissions granted to users, according to Crypsis’ Gayford.

“It’s great that employees can readily share documents with teammates, but is that data at risk for being shared outside of the company?” he said. “Don’t over-provision accounts. We want to create an environment where users can quickly share and access data, but we also want to ensure that they can’t access sensitive data.”

He added that questions for security teams to ask include things like, do SharePoint users have access to the entire site, or just a specific document library? Do Slack users have access and ownership to their team channels, or do they have access to all channels at the organization?

“Organizations need to ensure that the principle of least privilege is being followed so that employees have the access required to perform routine, legitimate activities,” Gayford advised. “And IT teams should only permit the installation of add-ons by administrators and follow a strict review process before implementing.”

Network sequestration is equally important. As Freire pointed out, once inside a collaboration platform, a bad actor can pose as a trusted employee to share malicious docs or files to move laterally into other areas on the network. “Depending on how the platform is configured, they may also be able to move into file-sharing apps such as G-suite or SharePoint to gain access to sensitive data,” he explained. Ensuring that lateral movement — even between different channels or conversations on the platform — should be restricted whenever possible.

“We’ve helped an insurance firm protect communications across SharePoint, Yammer and Slack for more than 20,000 users,” Freire said. “With automation and machine learning, we consolidated all communications into one platform. Security and compliance policies were extended to all messages to ensure that all content was consistent with internal policies (FINRA, PII and data loss), while capturing full audit trails.”

Remember the Basics

And clearly, basic security hygiene is always important, and organizations should ensure that collaboration platforms are held to the same standards as other services. This includes requiring that passwords are always be secure and complex; using multi-factor authentication; patching in a timely manner; and applying the same data controls on confidential or sensitive information that would be used for the company’s email platform.

Similarly, on the user behavior front, users should be trained to understand what phishing lures could look like within a Slack channel or a Teams chat. Also, creating awareness around what is and is not okay to share on a platform is a foundational security tool too, according to researchers — and can vastly reduce the “jackpot” attractiveness for criminals in compromising an app like Slack.

“Organizations will want to have a policy that addresses online data, cloud storage and social media,” KnowBe4’s McQuiggan said. “When using the collaboration platform, it’s advisable to not post sensitive or confidential information, especially from the HR and finance departments, or items relating to the organization’s strategy.”

What’s Your Exposure?

So ultimately, how safe are Slack and other collaboration apps? The answer comes down to how much effort has been put into locking them down. That effort may be daunting, given that COVID-19’s effect on work footprints has created an unprecedented challenge for IT and security staff. Many departments are scrambling to enable collaboration apps for all, while still juggling plenty of other priorities.

Nonetheless, Cequence’s Kent said that it’s important to recognize just how much is at stake with the increased use of Slack, Teams and other such apps — and to take steps to ensure their safety.

“Does anyone have an IT team that isn’t overwhelmed right now?” he said. “Everyone is adjusting to 100-percent remote workforces, and having everything originating outside the organization to be pumped in. My advice is this: if you find a security flaw in one of these collaboration services, raise the red flag.  It’s better to give everyone the day off while its fixed, than to have a data breach that will be difficult to detect and hard to recover from.”

Do you suffer from Password Fatigue? On Wednesday April 8 at 2 p.m. ET join Duo Security and Threatpost as we explore a passwordless future. This FREE webinar maps out a future where modern authentication standards like WebAuthn significantly reduce a dependency on passwords. We’ll also explore how teaming with Microsoft can reduced reliance on passwords. Please register here and dare to ask, “Are passwords overrated?” in this sponsored webinar.

Suggested articles