TeqGo.com
No Result
View All Result
No Result
View All Result
TeqGo.com
No Result
View All Result
Home Computer

Slack and Teams’ Lax App Security Raises Alarms

Staff by Staff
September 23, 2022
in Computer
0
Slack and Teams’ Lax App Security Raises Alarms
467
SHARES
1.5k
VIEWS
Share on FacebookShare on Twitter


Collaboration apps like Slack and Microsoft Teams have become the connective tissue of the modern workplace, tying together users with everything from messaging to scheduling to video conference tools. But as Slack and Teams become full-blown, app-enabled operating systems of corporate productivity, one group of researchers has pointed to serious risks in what they expose to third-party programs—at the same time as they’re trusted with more organizations’ sensitive data than ever before.

A new study by researchers at the University of Wisconsin-Madison points to troubling gaps in the third-party app security model of both Slack and Teams, which range from a lack of review of the apps’ code to default settings that allow any user to install an app for an entire workspace. And while Slack and Teams apps are at least limited by the permissions they seek approval for upon installation, the study’s survey of those safeguards found that hundreds of apps’ permissions would nonetheless allow them to potentially post messages as a user, hijack the functionality of other legitimate apps, or even, in a handful of cases, access content in private channels when no such permission was granted.

“Slack and Teams are becoming clearinghouses of all of an organization’s sensitive resources,” says Earlence Fernandes, one of the researchers on the study who now works as a professor of computer science at the University of California at San Diego, and who presented the research last month at the USENIX Security conference. “And yet, the apps running on them, which provide a lot of collaboration functionality, can violate any expectation of security and privacy users would have in such a platform.”

When WIRED reached out to Slack and Microsoft about the researchers’ findings, Microsoft declined to comment until it could speak to the researchers. (The researchers say they communicated with Microsoft about their findings prior to publication.) Slack, for its part, says that a collection of approved apps that is available in its Slack App Directory does receive security reviews before inclusion and are monitored for any suspicious behavior. It “strongly recommends” that users install only these approved apps and that administrators configure their workspaces to allow users to install apps only with an administrator’s permission. “We take privacy and security very seriously,” the company says in a statement, “and we work to ensure that the Slack platform is a trusted environment to build and distribute apps, and that those apps are enterprise-grade from day one.”

But both Slack and Teams nonetheless have fundamental issues in their vetting of third-party apps, the researchers argue. They both allow integration of apps hosted on the app developer’s own servers with no review of the apps’ actual code by Slack or Microsoft engineers. Even the apps reviewed for inclusion in Slack’s App Directory undergo only a more superficial check of the apps’ functionality to see whether they work as described, check elements of their security configuration such as their use of encryption, and run automated app scans that check their interfaces for vulnerabilities.

Despite Slack’s own recommendations, both collaboration platforms by default allow any user to add these independently hosted apps to a workspace. An organization’s administrators can switch on stricter security settings that require the administrators to approve apps before they’re installed. But even then, those administrators must approve or deny apps without themselves having any ability to vet their code, either—and crucially, the apps’ code can change at any time, allowing a seemingly legitimate app to become a malicious one. That means attacks could take the form of malicious apps disguised as innocent ones, or truly legitimate apps could be compromised by hackers in a supply chain attack, in which hackers sabotage an application at its source in an effort to target the networks of its users. And with no access to apps’ underlying code, those changes could be undetectable to both administrators and any monitoring system used by Slack or Microsoft.



Source link

Tags: hackingmalwaresecurityslackvulnerabilities
Previous Post

Machine Learning in Healthcare: 10 Real Business Cases

Next Post

Spectranet Data Plans: 2022 Data Bundle Packages & Price In Nigeria

Next Post

Spectranet Data Plans: 2022 Data Bundle Packages & Price In Nigeria

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended.

Superman & Lois Will Recast Jonathan Kent

Superman & Lois Will Recast Jonathan Kent

August 17, 2022
NASA Responds to Sobering Review of Psyche Mission, Entire Jet Propulsion Lab

NASA Responds to Sobering Review of Psyche Mission, Entire Jet Propulsion Lab

November 13, 2022

Trending.

How To Delete GameStop Account – A Step By Step Guide

August 23, 2022

How To Create A Pokémon Trainer Club Account

August 23, 2022

Why is Ben Bailey leaving WDIV?

August 24, 2022

What happened to Andrew Humphrey on Channel 4 weather?

August 24, 2022

What is a 100000 year period called?

August 23, 2022
  • About us
  • Contact Us
  • Home
  • Privacy Policy and Disclaimer

© 2021-2023 Teqgo.com

No Result
View All Result
  • About us
  • Contact Us
  • Home
  • Privacy Policy and Disclaimer

© 2021-2023 Teqgo.com