Security researchers have revealed a number of concerning security flaws in popular business communications apps Slack and Microsoft Teams.
Along with project management software tools, the use of business communications apps became widespread during the pandemic and is now a permanent fixture of millions of people’s hybrid working arrangements.
The sheer number of users – as well as the companies – that both of these apps cater to make the findings all the more worrying.
Major Security Flaws Discovered
The study, produced by researchers at the University of Wisconsin-Madison has identified a number of potentially catastrophic gaps in both Slack and Teams’ security models.
The researchers found that the “access control model in these systems violates two fundamental security principles: least privilege and complete mediation.”
These issues could, in theory, allow “a malicious app to exploit the confidentiality and integrity of user messages and third-party resources connected to the platform.”
“Compared to iOS or Android, I would say their security model is at least five to six years behind,” – Yunang Chen, University of Wisconsin.
The researchers were able to orchestrate three “proof-of-concept” attacks, the first being the ability to eavesdrop on messages sent by users without permission to do so.
The researchers also managed to launch fake video calls, and automatically merge code into repositories without any user involvement or approval. This last vulnerability is perhaps the most concerning, as this would let any user install a third-party app for an entire workspace.
Poor Third-Party App Vetting From Both Platforms
With such security flaws surrounding third-party applications, you’d expect both Slack and Microsoft Teams to have stringent vetting processes for plug-ins, add-ons, and integrations.
However, this couldn’t be farther from the truth. Both platforms, for instance, allow integration with a given app’s servers without a review from either company’s Tech development teams.
Reviews that do take place, the study finds, are cursory and inadequate. And, as aforementioned, a user doesn’t have to have a particularly privileged account to add this to the entire workspace.
A Worrying Study for Millions
The global reach of both these applications makes the new findings all the more concerning.
This isn’t just any small-scale project management software app or CRM system – Microsoft Teams alone has 270 million users, a huge proportion of the business world and a massive attack surface.
Whilst Slack’s userbase is smaller, its usage among some of the most prestigious and trusted companies in the world – nearly 80% of Fortune 100 companies use the platform.
But it’s also the sheer volume of sensitive data held within them.
“Slack and Teams are becoming clearinghouses of all of an organization’s sensitive resources,” Earlence Fernandes, another one of the study’s authors, said at a recent security conference.
“And yet, the apps running on them, which provide a lot of collaboration functionality, can violate any expectation of security and privacy users would have in such a platform.”
The research is bound to alarm many users of these platforms, especially given their huge rise in popularity during the pandemic.
Findings like these demand an immediate revisit of Microsoft and Slack’s app vetting procedures – given how many users rely on them on a daily basis.
