Your Workmates Might Still be Reading that 'Unshared' Slack Document
"upstart" writes in with a submission, via IRC, for SoyCow4408.
Your workmates might still be reading that 'unshared' Slack document
Security researchers have uncovered a flaw in messaging app Slack that allows a file shared in a private channel to be viewed by anyone in that workspace - even guests.
Folk from Israeli cloud security outfit Polyrize uncovered the vuln, that they say exposes files shared through the IRC-for-millennials application, which boasts millions of users.
"If you share your file once, even if you later unshare it, that file can still be exposed to other people, without any indication to you," said Polyrize, adding that the vuln includes the viewing of files through API queries.
It works through Slack's implementation of file-sharing. Posts on a Slack workspace can be in a public channel, or conversation, where anyone with an account on that workspace can join and view messages and files, or a private conversation (invite-only). Files are shared with conversations which can have one or more participants; if you're in a conversation where a private file is shared, you can view it. Should you leave that private conversation, you can't view files from within it.
That's how it's meant to work, anyway. According to Polyrize, however, if someone in a private conversation shares a file from it to a different conversation, that bypasses the controls.
"Due to the fact that Slack users can only be aware of private conversations that they are members of, file owners have no way to tell that their files were shared in other private conversations," Polyrize told The Register.
There is an "Unshare" button, but once a file (a "Snippet" or "Post") has been shared with someone else, you have no ability to control copying of an already-shared file to different channel. Further, there is no way to track which files are being re-shared.
Read more of this story at SoylentNews.