A new study performed by the researchers at the University of Wisconsin-Madison reveals some possible security flaws in widespread communication and online collaboration platforms Slack and Microsoft Teams. The 18-page analysis was performed by Yunang Chen, Yue Gao (equal contribution), Nick Ceccio, Rahul Chatterjee, Kassem Fawaz, and Earlence Fernandes and published at Earlence.com.
According to the researchers, the security issues are caused by third-party apps. The issues vary from configuration ones that allow the installation of the app for an entire workspace to code, which is rarely reviewed by Slack and Microsoft engineers and can contain anything. In addition, those apps can be hosted on the server which belongs to the developer of the app. According to the study, the existing apps may potentially post messages from the user’s account, affect functions of other apps, and in rare cases, get access to the private channels without permission.
The article posted by WIRED says that they reached out to Slack and Microsoft to get their feedback about the researchers' findings. According to their information, Slack stated that there is a collection of approved apps in the Slack Apps Directory. They are undergoing security reviews and are screened for any suspicious activity. The administrators of the workspaces have to restrict installing apps without admins’ permissions, and users are strongly recommended to install only the approved apps. And Microsoft refused to post any comments until it could communicate with the researchers. However, according to the information posted by the scientists, they reached Microsoft with information about their findings before posting it.