"XSLeak Flaw in Slack Could Allow a Malicious Workspace Member to Launch De-anonymisation Attacks"
A cross-site leak (XSLeak) flaw has been discovered in the file-sharing feature of Slack's web application by a security researcher named Julien Cretel. According to Cretel, the exploitation of the vulnerability could allow threat actors to identify users outside of the workforce instant messaging platform when victims go to an attacker-created website in Chromium-based browsers. XSLeaks are a class of security vulnerabilities stemming from side-channels built into the web platform. These flaws abuse the web's core principle of composability that allows interactions between websites. They also exploit legitimate mechanisms to reveal sensitive information about users. Researchers from TU Darmstadt released a paper in 2019 detailing an XSLeak channel in the image-sharing features provided by Facebook, Twitter, Google, and other popular messaging platforms. According to the study, when users upload an image in their private chat threads, a unique URL is generated by the host service for the resource that can only be accessed by parties within the thread. The researchers discovered that this mechanism could be abused by malicious actors to create a unique URL for a target user and force visitors' browsers to go to another website to request the same URL. The browser's response could help the attacker determine if the visitor is the same user. They warned that this technique could be applied in fingerprinting or spear phishing attacks. When Cretel examined the file-sharing functionality of Slack's web client, he found it to be vulnerable to Leaky Image attacks. However, the exploitation of the security flaw requires the attacker to have a user account in the same Slack workspace as their targets and have the ability to send them direct messages. This article continues to discuss the XSLeak flaw found in Slack, the platform's response to the discovery of this vulnerability, and other previously uncovered security weaknesses in Slack.