Sign in / up

back to article Your workmates might still be reading that 'unshared' Slack document

Security researchers have uncovered a flaw in messaging app Slack that allows a file shared in a private channel to be viewed by anyone in that workspace – even guests. Folk from Israeli cloud security outfit Polyrize uncovered the vuln, that they say exposes files shared through the IRC-for-millennials application, which …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Rich 11

    Not gonna work

    only share files with people whom you trust not to reshare them into different conversations.

    So basically no-one, then. Myself included.

    It's too easy to forget all the ins and outs of what you should and shouldn't do with one bit of shadow IT or another, especially after a few months or a year, or when they change the GUI on you, or when you do an accidental drag-and-drop. If you can't see the exact status of all your contributions in one place, nice and clear, then reliable data governance can never happen. Next time the auditors are in to give you the third degree, just shrug your shoulders.

    Maybe one day manglement will understand and actually enforce the 'no shadow IT' policy you suggested.

    16 1 Reply
  2. Anonymous Coward
    Anonymous Coward

    IRC with GIFs, no line length limit and no need for a bouncer. What's not to like?

    0 2 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Well, fortunately you never used ALL options in a IRC client, because you could do all that (and a questionable much more). But if you ever try it, the experience is kindred to the feeling that the bomb just dropped and all that survived is children daycares.

      Seen in many IRC channels, translated from 1337 speak: "Check out my banner guys, isn't aaaaawwwesome!" <insert base64 dump here>

      3 0 Reply
  3. Cronus
    FAIL

    Err how is this any more of a threat than the intended recipient just copying the contents into a new snippet and sharing that? This is yet another non-issue from a security company trying to make a name for itself.

    6 2 Reply
    1. FrogsAndChips Silver badge
      Reply Icon

      If the protections are properly implemented with Information Rights Management, it can be very difficult if not impossible to share content with users that have not been specifically granted the permissions. Sure, a few lines of text can be re-typed, screen captures or photos can be made (with obvious loss of quality), but sharing large files would be another matter.

      0 1 Reply
      1. Cuddles
        Reply Icon

        I must be confused about what the word "share" means. If you share a file with me, it is presumably with the intention that I am able to save a local copy and do something useful with it - some sort of data analysis, document corrections, or whatever. At the point you pass it to me, you lose any and all possibility of controlling what I actually do with it. Slack is irrelevant, there are plenty of ways for me to send it to other people. No amount of rights management can help with this, because the file needs to be unrestricted in order for it to be of any use to me.

        Even if by "content" you mean useless crap like Powerpoint presentations, which could potentially be presented in-browser only and not allowed to download, you still face the same problem film companies keep running into. If I am able to view something on my monitor, I am able to make an unrestricted local copy of it, and there's nothing you can ever do to prevent it. At the very worst, that might mean taking photos of the screen, more likely just things like screenshots or finding temporary files. If I can see it, I can copy it.

        So really the whole thing is nonsense. The complaint in this case seems to be essentially that if you send and email, the recipient can forward it someone else, which as Cronus notes is just stupid to complain about. But the more general issue is that the whole idea of being able to control files like that is stupid to start with. At the point you decide to send files to other people, you lose control over what happens to them afterwards. The problem is not with Slack or any other specific implementation of how to send them, it's that you're sending things to people you don't trust.

        4 1 Reply
        1. Smold
          Reply Icon

          The problem is that you can still see updates. You should watch the video in the post

          The problem is that you can still view updates that have been committed after the file was unshared.

          That's something you can't achieve by downloading/copying the file. And that shouldn't be possible

          1 0 Reply
  4. Anonymous Coward
    Anonymous Coward

    "It works through Slack's implementation of file-sharing"

    A.K.A. a hyperlink.

    4 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      re: hyperlink

      No, its a store-and-forward hyperlink.

      1 0 Reply
    2. Anonymous Coward
      Reply Icon
      Anonymous Coward

      >A.K.A. a hyperlink.

      Nah, a Slack "share" is effectively an upload to Slack's servers and they forward it on your behalf. Even if you're just "sharing" a link, it'll materialise and cache things to forward on from its own servers, possibly breaking your organisational security model. For example at one place I was contracting a senior manager "shared" the super_secret_product_roadmap_plan.gdoc into the team channel.

      "No worries", says he, "It's locked down to the team only"

      "Except", says I, "Slack has rendered the front page as a nice image that it lets everyone see, and the first slide of your roadmap deck details all of your roadm..."

      "Ah", says he, "I see"

      Slack's line is "just don't share it"

      0 0 Reply
  5. DavCrav

    "As described, working around the vulnerability is fairly easy: don't use Slack to share sensitive files."

    Editor's note: That sentence is too long. Recommend trimming last four words.

    3 0 Reply
  6. Pascal Monett Silver badge

    "When you share Snippets and Posts in private channels or message"

    You are handing over the information to an entity you have no control over and who is in no way obliged to handle the data in any specific way.

    If you think that's a good thing, you're the problem.

    2 0 Reply
  7. phuzz Silver badge

    "IRC-for-millennials"

    I'm a millennial. I was born at the start of the 1980s.

    IRC is my IRC (mIRC specifically).

    (Although, to communicate with different customers I'm currently running Slack, Teams, RocketChat, and Mattermost. Skype only gets started when I need it. Going back to IRC would be a blessing tbh)

    6 0 Reply
    1. Richocet
      Reply Icon

      There's no technical reason that chat platforms can't be interoperable like phone calls, SMS and email.

      It is unnecessary hassle when someone is using a different platform, or fashions change and we all have to move to something else.

      0 0 Reply
  8. Anonymous Coward
    Anonymous Coward

    Very different.

    After unshare, one can trace the listed permissions and based on that add updates and new information to the shared file assuming only listed ones can see this information

    Unfortunately, All this new information, is shared as well.

    When you make an updates to a file, not only that you don't know who can see the updates: You get a wrong list of viewers. While you could avoid sharing information when not knowing who it us shared with: In this case, you check the permission, publish information based on that - and it shared with others!

    And if it is not enough, the unlisted people may be able to edit the file (for example to delete or insert erogenous information)

    0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like