Watch out – sharing a Wikipedia link on Slack could be a serious security no-no
Cybersecurity researchers at eSentire have discovered a glitch in the way Slack displays Wikipedia articles that could be exploited to trick users into opening malware-laden websites.
In popular messaging apps, including Slack, when a user forgets to add a space between a period and the first letter of the next sentence, the app will perceive this as a domain and display the link accordingly. For example, if you type “face.book me for…” it will http://face.book.
Now, if a malicious user edits a Wikipedia article in the right place and adds a reference footnote, they can trick Slack into displaying a link that doesn’t appear in the article. That link can later be edited to redirect the victim to a malicious website.
A lot of due diligence is needed
From there, all it takes is a little creativity to get the victim to click the link in the preview of the otherwise benign Wikipedia link to get malware.
This is also not that uncommon on Wikipedia. The researchers found more than 1,000 examples of pages where the reference footnote was added to the exact location to make the Slack preview window generate a link.
The same method also works on other websites, such as Medium. However, the researchers focused on Wikipedia because they believe it is an authoritative, trusted source (although that is debatable).
To make it work, the attackers will obviously first have to make sure the victim has Slack, then join their workspace (possibly via a compromised account) and share a link that the victim will find interesting to lure them in .
Given the success of phishing attacks, it certainly wouldn’t be surprising if these types of attacks were attempted. Slack has also had a number of other security issues lately, such as its rather lax approach to accepting third-party app integration.