Slack and Microsoft Teams Are Worryingly Hackable

Security researchers have produced a report that claims neither platform has proper app vetting procedures.

Security researchers have revealed a number of concerning security flaws in popular business communications apps Slack and Microsoft Teams. 

Along with project management software tools, the use of business communications apps became widespread during the pandemic and is now a permanent fixture of millions of people’s hybrid working arrangements. 

The sheer number of users – as well as the companies – that both of these apps cater to make the findings all the more worrying. 

Major Security Flaws Discovered

The study, produced by researchers at the University of Wisconsin-Madison has identified a number of potentially catastrophic gaps in both Slack and Teams’ security models.

The researchers found that the “access control model in these systems violates two fundamental security principles: least privilege and complete mediation.”

These issues could, in theory, allow “a malicious app to exploit the confidentiality and integrity of user messages and third-party resources connected to the platform.”

“Compared to iOS or Android, I would say their security model is at least five to six years behind,” – Yunang Chen, University of Wisconsin.

The researchers were able to orchestrate three “proof-of-concept” attacks, the first being the ability to eavesdrop on messages sent by users without permission to do so.

The researchers also managed to launch fake video calls, and automatically merge code into repositories without any user involvement or approval. This last vulnerability is perhaps the most concerning, as this would let any user install a third-party app for an entire workspace.

Poor Third-Party App Vetting From Both Platforms

With such security flaws surrounding third-party applications, you’d expect both Slack and Microsoft Teams to have stringent vetting processes for plug-ins, add-ons, and integrations.

However, this couldn’t be farther from the truth. Both platforms, for instance, allow integration with a given app’s servers without a review from either company’s Tech development teams.

Reviews that do take place, the study finds, are cursory and inadequate. And, as aforementioned, a user doesn’t have to have a particularly privileged account to add this to the entire workspace.

A Worrying Study for Millions

The global reach of both these applications makes the new findings all the more concerning.

This isn’t just any small-scale project management software app or CRM system – Microsoft Teams alone has 270 million users, a huge proportion of the business world and a massive attack surface.

Whilst Slack’s userbase is smaller, its usage among some of the most prestigious and trusted companies in the world – nearly 80% of Fortune 100 companies use the platform.

But it’s also the sheer volume of sensitive data held within them.

“Slack and Teams are becoming clearinghouses of all of an organization’s sensitive resources,” Earlence Fernandes, another one of the study’s authors, said at a recent security conference.

“And yet, the apps running on them, which provide a lot of collaboration functionality, can violate any expectation of security and privacy users would have in such a platform.”

The research is bound to alarm many users of these platforms, especially given their huge rise in popularity during the pandemic.

Findings like these demand an immediate revisit of Microsoft and Slack’s app vetting procedures – given how many users rely on them on a daily basis.

Did you find this article helpful? Click on one of the following buttons
We're so happy you liked! Get more delivered to your inbox just like it.

We're sorry this article didn't help you today – we welcome feedback, so if there's any way you feel we could improve our content, please email us at contact@tech.co

Written by:
Aaron Drapkin is Tech.co's Content Manager. He has been researching and writing about technology, politics, and society in print and online publications since graduating with a Philosophy degree from the University of Bristol six years ago. Aaron's focus areas include VPNs, cybersecurity, AI and project management software. He has been quoted in the Daily Mirror, Daily Express, The Daily Mail, Computer Weekly, Cybernews, Lifewire, HR News and the Silicon Republic speaking on various privacy and cybersecurity issues, and has articles published in Wired, Vice, Metro, ProPrivacy, The Week, and Politics.co.uk covering a wide range of topics.
Explore More See all news
Back to top
close Thinking about your online privacy? NordVPN is Tech.co's top-rated VPN service See Deals