[ad_1]
Cybersecurity researchers from eSentire have found a glitch in how Slack renders Wikipedia articles that might be abused to trick customers into opening malware-laden web sites.
In widespread messaging apps, together with Slack, when a person forgets so as to add an area between a full cease and the primary letter of the subsequent sentence, the app will understand it as a website, and render the hyperlink accordingly. Typing “face.ebook me for…,” for example, will change into http://face.ebook.
Now, if a malicious person edits a Wikipedia article on the proper place and provides a reference footnote, they will trick Slack into rendering a hyperlink that doesn’t exist within the article. That hyperlink can later be edited to redirect the sufferer to a malicious web site.
A number of due diligence required
From that time on, all it takes is a little bit creativity to get the sufferer to click on on the hyperlink within the preview of the in any other case benign Wikipedia hyperlink to be served malware.
This isn’t that unusual on Wikipedia, both. The researchers have discovered greater than 1,000 examples of pages the place the reference footnote was added to the precise location to get the Slack preview pane to generate a hyperlink.
The identical technique works on different web sites, too, like Medium, for instance. Nevertheless, the researchers have centered on Wikipedia as a result of they consider it to be an authoritative, trusted supply (though that’s debatable).
Clearly, to make it work, the attackers will first have to be sure that the sufferer has Slack, then be part of their workspace (presumably by way of a compromised account), and share a hyperlink that the sufferer will discover attention-grabbing to lure them in.
Given the success of phishing assaults, it actually would not be stunning to see this type of assault being tried. Slack has additionally had another safety considerations just lately, corresponding to its somewhat lax method to accepting third-party app integration.
Extra from TechRadar Professional
[ad_2]
Source link
