Slack and Microsoft Teams have some rather worrying security flaws
>
Slack and Microsoft Teams, arguably the two biggest communication and online collaborations (opens in new tab) platforms that exist today allow the inclusion of hundreds of third-party apps, and that’s a security nightmare, experts say.
Researchers at the University of Wisconsin-Madison argue that the code of third-party apps is rarely reviewed by programmers at Slack and Microsoft. Even those that do undergo a relatively superficial analysis, with the reviewers analyzing whether the app works as intended, or encrypting this data and running an automated scan that looks for vulnerabilities.
The rest is just on the servers of the developers of the apps and can be freely integrated with Slack and Microsoft Teams.
Major risks
With these platforms becoming the de facto operating systems of business productivity, this is a major security risk, researchers argue.
“Slack and Teams become clearinghouses of all of an organization’s sensitive resources,” said Earlence Fernandes, one of the study’s authors and a professor of computer science at the University of California at San Diego. “And yet the apps that run on it, which offer a lot of collaboration functionality, can violate any expectation of security and privacy that users have on such a platform.”
Microsoft is silent on the matter for now, until it can address the researchers more thoroughly.
Slack, on the other hand, said it has a collection of approved apps that can be found in the Slack App Directory, and “strongly recommends” users only install these apps on their endpoints. (opens in new tab). These, the company added, receive security ratings before being recorded and monitored for suspicious behavior.
Furthermore, Slack suggests that IT administrators configure their workspaces so that users can only install apps with administrative privileges. “We take privacy and security very seriously and we are working to ensure that the Slack platform is a trusted environment to build and distribute apps, and that those apps are enterprise-grade from day one,” it concluded. company.
Through: wired (opens in new tab)