Tomas ManasThe modern workplace’s connective tissue are collaboration programs like Slack and Microsoft Teams, which provide users with capabilities for messaging, scheduling, and video conferences. However, as Slack and Teams develop into full-fledged, app-enabled operating systems of corporate productivity, one team of researchers has highlighted severe concerns in what they expose to third-party programs—while they’re trusted with more sensitive data from enterprises than ever before.
Researchers at the University of Wisconsin-Madison have discovered alarming flaws in Teams’ and Slack’s third-party app security models. These flaws vary from default settings that let any user install an app for an entire workplace to a lack of code review. The study’s examination of these safeguards revealed that hundreds of apps’ permissions would nonetheless permit them to potentially post messages as a user, hijack the functionality of other legitimate apps, or even, in a few instances, access content in private channels when no such permission was granted. This is true even though Slack and Teams apps are at least constrained by the permissions they ask for approval for upon installation.
New research demonstrates how third-party applications may be used to compromise these private office products.
WIRED
One of the study’s researchers, Earlence Fernandes, who is currently a professor of computer science at the University of California, San Diego, and who presented the study’s findings last month at the USENIX Security conference, claims that “Slack and Teams are becoming clearinghouses of all of an organization’s sensitive resources.” The apps that run on them, which offer a lot of collaborative capabilities, might, however, contradict whatever expectations users could have regarding security and privacy in such a platform.
Interactively leverage existing innovative e-services customer service. Dramatically cultivate frictionless communities with enterprise-wide customer service. Dramatically simplify web-enabled growth strategies rather than integrated imperatives. Intrinsicly impact web-enabled value vis-a-vis innovative customer service. Continually procrastinate efficient growth strategies for backend experiences.
Microsoft declined to comment until it could speak with the researchers when WIRED contacted Slack about the researchers’ results. Prior to publication, the researchers claim they spoke with Microsoft about their findings. For its part, Slack asserts that a selection of authorized applications that can be found in its Slack App Directory do undergo security inspections before inclusion and are kept an eye out for any suspicious activity. It “highly recommended” that administrators design their workspaces to prevent users from installing applications without an administrator’s approval and that users only use these approved apps. The business issues a statement that reads, “We take privacy and security extremely seriously and we try to guarantee that the Slack platform is a trusted place to develop and distribute apps, and that those apps are enterprise-grade from day one.”
However, the researchers contend that fundamental problems exist with how Slack and Teams evaluate third-party apps. They both permit the integration of applications that are hosted on the servers owned by the app developer, without Slack or Microsoft developers reviewing the apps’ actual code. Even the apps that are reviewed for inclusion in Slack’s App Directory only go through a more cursory examination of their functionality to determine whether they perform as promised, examine specific security configuration settings like the use of encryption, and run automated app scans to look for flaws in their user interfaces.
Both collaboration systems by default permit any user to add these separately hosted applications to a workspace, despite Slack’s explicit guidelines. The administrators of an organization can activate tighter security controls that make it necessary for them to authorize apps prior to installation. The apps’ code can alter at any time, making it possible for an apparently innocent program to turn dangerous. But even then, those administrators must accept or refuse apps without having any way to check their code. As a result, assaults might take the shape of malicious applications disguising themselves as benign ones or really genuine apps being penetrated by hackers in a supply chain attack, when hackers disrupt a program from its source in an effort to target the networks of its users. Additionally, without access to an app’s source code, modifications can go unnoticed by administrators as well as any monitoring tools employed by Microsoft or Slack.
Users who are accustomed to more secure third-party app environments, such as the code reviews used in Apple’s App Store and Google Play, may be exposed to risks they didn’t intend to take when they install a seemingly innocent app on their company’s collaboration workspace as a result of all of this. Yunang Chen, a researcher at the University of Wisconsin, claims that Slack and Teams’ security strategy is at least five to six years behind that of iOS or Android.
