![slack desktop app blury slack desktop app blury](https://www.cleverfiles.com/help/wp-content/uploads/2018/11/Blurry-Fonts.png)
![slack desktop app blury slack desktop app blury](https://geeklk.com/wp-content/uploads/2014/12/viber-for-pc-geeklk.jpg)
banned iframe, applet, meta, script, form etc. Oskarsv added, “JavaScript execution is restricted by Content Security Policy (CSP) and various security protections are in place for HTML tags (i.e. “It’s possible to directly edit this JSON structure, which can contain arbitrary HTML.” “ creates a new file on with JSON structure,” according to the writeup.
#Slack desktop app blury code
If a user clicks on the booby-trapped image, the code will be executed on the victim’s machine.Īs for accomplishing the HTML injection, the issue lies in the way Slack posts are created, according to the researcher. After that, they need only to share that post with a public Slack channel or user. To exploit the bug, attackers would need to upload a file to their own HTTPS-enabled server with a payload then, they could prepare a Slack post with an HTML injection containing the attack URL pointing to that payload (hidden in an image). “This report demonstrates a specifically crafted exploit consisting of an HTML injection, security control bypass and a RCE JavaScript payload.”Īccording to the disclosed technical writeup, attackers could trigger an exploit by overwriting Slack desktop app “env” functions to create a tunnel via BrowserWindow to then execute arbitrary JavaScript, in what is “a weird XSS case,” he said. “With any in-app redirect-logic/open redirect, HTML or JavaScript injection, it’s possible to execute arbitrary code within Slack desktop apps,” wrote a bug-hunter going by the handle “oskarsv,” who submitted a report on the bug to Slack via the HackerOne platform (earning $1,500). Slack for Desktop (Mac/Windows/Linux) prior to version 4.4 are vulnerable. The bug (rated between nine and 10 on the CvSS vulnerability-severity scale), was disclosed on Friday, and involves cross-site scripting (XSS) and HTML injection. They could also potentially burrow further into an internal network, depending on the Slack configuration, according to a security report.
#Slack desktop app blury full
Attackers could gain full remote control over the Slack desktop app with a successful exploit - and thus access to private channels, conversations, passwords, tokens and keys, and various functions. A critical vulnerability in the popular Slack collaboration app would allow remote code-execution (RCE).