Security researchers claim to have discovered a way to trick Slack’s AI assistant into sharing sensitive information and other secrets with unauthorized users
Slack, used by more than 35 million people worldwide, introduced its own artificial intelligence (AI) tool in September 2023, which allows users to summarize multiple unread messages, answer various questions, search for files, and more.
But as we’ve seen with other chatbots in the past, a malicious user can use a carefully crafted prompt (a command given to the AI) to force the tool to release sensitive data from private Slack channels they’re not a part of.
“Intended behavior”
For example, security firm PromptArmor, which discovered the vulnerability and reported it to Salesforce, explained how criminals were able to steal API keys:
“We demonstrate how this behavior could allow an attacker to obtain API keys that a developer has placed in a private channel (which the attacker does not have access to).”
The attack revolves around creating a public Slack channel and feeding it a malicious prompt, which the AI reads. It then instructs the Large Language Model (LLM) to respond to queries for the API key by providing a clickable URL. Clicking the URL sends the API key data to the attacker-controlled website where it can be retrieved.
In addition to API keys, criminals could also abuse this vulnerability to obtain files uploaded to Slack, since the AI reads those files as well.
Furthermore, since the AI also reads files, hackers don’t even need to be part of the Slack workspace to steal secrets. All they need to do is hide the malicious prompt in a document and have a workspace member upload it (using social engineering, for example).
“If a user downloads a PDF file containing one of these malicious instructions (e.g., hidden in white text) and then uploads it to Slack, the same downstream effects of the attack chain can be achieved,” PromptArmor said.
Salesforce, which owns Slack, has apparently patched the bug for private channels. Public channels, on the other hand, appear to have remained vulnerable. PromptArmor says that Salesforce told it that “messages posted to public channels will be searchable and viewable by all members of the Workspace, regardless of whether they are members of the channel or not. This is the intended behavior.”
Via The register