Slack has recently fixed a bug that could have allowed hackers to intercept files downloaded on the Windows desktop app.
A hacker would have had the ability to place a malicious link into a channel. Once it was clicked, it could redirect downloads to the hacker’s server. This could have potentially given hackers access to a lot of sensitive data.
Tenable, a cybersecurity firm reported the issue to Slack. Researchers at the firm say hackers would not only have had access the documents, but could have modified them and added malicious packages.
The bug “would allow all future downloaded documents by the victim to end up being uploaded to an attacker owned file server until the setting is manually changed back by the victim,” David Wells, a researcher at Tenable, told Gizmodo.
The bug was patched in version 3.4.0 of the app. The company has stated that users have not been impacted.
“Slack investigated and found no indication that this vulnerability was ever utilized, nor reports that its users were impacted,” Slack confirmed to Gizmodo.
Users of the Windows app are encouraged to update to the newest version.