- #Slack desktop app government install#
- #Slack desktop app government Patch#
- #Slack desktop app government upgrade#
- #Slack desktop app government full#
It's worth emphasizing that the security researcher who discovered this vulnerability - a process that takes untold hours of work and is a literal job - decided to do what many would consider the right thing and report it to Slack via HackerOne. What's more, according to the disclosure, maliciously inclined hackers could have made their attack "wormable." In other words, if one person in your team got infected, their account would automatically re-share that dangerous payload to all their colleagues. Before Slack fixed it, an attacker using the exploit could have done some pretty wild stuff, such as gaining "access to private files, private keys, passwords, secrets, internal network access etc.," and "access to private conversations, files etc. Notably, the exploit allowed for something known as "remote code execution," which is just as bad as it sounds. Slack's internal security team didn't even find the bug rather, it was a third-party security researched who reported it, through the bug bounty platform HackerOne in January. The communications tool relied upon by journalists, tech workers, and D&D fans alike disclosed on Friday a "critical" vulnerability - now fixed - that would have let hackers run wild on users' computers.
#Slack desktop app government upgrade#
Here's a recent example of XSS -> system RCE in Electron: Įlectron has a flag that basically says "allow content to run system commands via Node" and it was possible for a context with that flag disabled to open a new context that had it enabledĭevelopers who might be unable to upgrade can mitigate the threat by following Electron’s instructions here.Slack and its scores of desktop app users just dodged a major bullet.
#Slack desktop app government install#
We will update the story if and when we receive a response.įor both developers and users, the key is to download and install the security patches as quickly as possible. We’ve emailed Electron, the researchers and several developers to get a better idea of which apps were and are vulnerable, as well as how a user might be able to tell. Signal, which builds its desktop app upon Electron, indicated that their app is not vulnerable to this flaw. It’s not yet clear which specific apps are vulnerable.
This makes XSS particularly dangerous, as an attacker’s payload can allow do some nasty things such as require in the child_process module and execute system commands on the client-side,” Scarvell said. “A default Electron application includes access to not only its own APIs, but also includes access to all of Node.js’ built in modules.
#Slack desktop app government full#
Due to some specifics within Electron - explained in great detail here by Scarvell - it’s a relatively small jump to escalate that to remote code execution, which could then lead to full ownership of a machine. Versions below 1.7.13, 1.8.4 and 2.0.0-beta.3 are vulnerable.Īpps using those versions are vulnerable to cross-site scripting (XSS) attacks due to a failure to sanitize user input.
#Slack desktop app government Patch#
Electron has already issued a patch addressing the flaw, but it’s up to developers to implement it. This latest flaw was discovered by Trustwave researcher Brendan Scarvell. A security flaw in Electron, an extremely popular web application framework, leaves vulnerable targets open to remote code execution attacks.Įlectron underlies widely used desktop apps like Skype and Slack. This is the second critical remote code execution vulnerability of the year for Electron, after a Microsoft Windows app bug was publicly unveiled in January.