Collaboration apps like flaccid and Microsoft Teams have become the connective tissue of the modern workplace, connecting users with everything from messaging to scheduling to video conferencing tools. But as Slack and Teams become full-fledged, app-enabled operating systems for business productivity, a group of researchers have pointed to serious risks in what they expose to third-party programs — while simultaneously trusting them with more organizations’ sensitive data than ever before.
A new study by researchers at the University of Wisconsin-Madison points to troubling gaps in the third-party app security model of both Slack and Teams, ranging from a lack of review of the apps’ code to defaults that allow any user to install a app for an entire workspace. And while Slack and Teams apps are limited at the very least by the permissions they request approval for when installed, the investigation of those protections found that hundreds of apps with permissions would nevertheless allow them to potentially post as a user, the functionality of other legitimate apps to hijack, or even, in a handful of cases, access to content in private channels when such permission is not granted.
“Slack and Teams become clearinghouses of all of an organization’s sensitive resources,” said Earlence Fernandes, one of the study’s researchers who now works as a professor of computer science at the University of California at San Diego, and who presented the research last month. at the USENIX Security conference. “And yet the apps that run on it, which offer a lot of collaboration functionality, can violate any expectation of security and privacy that users have on such a platform.”
When WIRED reached out to Slack and Microsoft about the researchers’ findings, Microsoft declined to comment until it could talk to the researchers. (The researchers say they communicated with Microsoft about their findings before publication.) Slack, for its part, says that a collection of approved apps available in the Slack App Directory receives security ratings before being included and monitored for suspicious behavior . It “strongly recommends” that users install only these approved apps and that administrators configure their workspaces so that users can only install apps with administrator permission. “We take privacy and security very seriously,” the company said in a statement, “and we are working to ensure that the Slack platform is a trusted environment to build and distribute apps, and that those apps are from day one enterprise grade.”
But both Slack and Teams nonetheless have fundamental problems vetting third-party apps, the researchers say. Both allow integration of apps hosted on the app developer’s own servers without review of the apps’ actual code by Slack or Microsoft engineers. Even the apps that have been reviewed for inclusion in Slack’s App Directory undergo only a more superficial check of the apps’ functionality to see if they work as described, verify elements of their security configuration, such as the use of encryption, and perform automated app controls. scans their interfaces for vulnerabilities.
Despite Slack’s own recommendations, both collaboration platforms allow any user to add these independently hosted apps to a workspace by default. An organization’s admins can enable stricter security settings that require the admins to approve apps before installing them. But even then, those administrators must approve or deny apps without having the ability to verify their code themselves — and crucially, the apps’ code can change at any time, turning a seemingly legitimate app into a malicious one. That means attacks can take the form of malicious apps disguised as harmless, or genuinely legitimate apps can be compromised by hackers in a supply chain attack, where hackers sabotage an application at its source in an attempt to break its users’ networks. target. And without access to the underlying code of apps, those changes can be undetectable by both administrators and any control system used by Slack or Microsoft.