Permissions: What Can Third-Party Apps Access?

Many Slack users are unaware of the permissions that may become enabled when third-party applications are linked with one’s Slack account. According to the Slack Help Center, “an app’s permission scopes depend on the kinds of things it’s supposed to do.” Typically, such permissions may encompass the ability to view information, post information, and carry out actions within a slack channel, thread, or direct message. These abilities can often result in third-party applications gaining access to seemingly private information like email addresses, files, user-identities/profiles, meeting invites, and messages. And frequently, specific permissions allow third-party applications to go beyond merely gaining access to this information, empowering them to edit, modify, and delete such data.

The Issue of Encryption

Slack initially only offered encryption for messages at rest, opening up user data to be intercepted by malicious actors. Hackers, as long as they were on the same network as the message transmission, could easily get their hands on data that was making its way from the sender to the recipient. In order to address the concerns of its users, the collaborative platform now provides its users with encryption services for messages while in transit as well. However, this does not solve the problem of data security in its entirety because the encryption offered is still not classified as end-to-end. And Slack gives companies the freedom to supervise and manage the ways and extent of which their data is secured, unfortunately leaving room for possible security oversights.

Slack’s Stance on End-to-End Encryption

Earlier on in 2020, Slack “announced that it was introducing an Enterprise Key Management (EKM) feature that would allow companies that operate in heavily regulated industries like financial services, healthcare, and government to choose how they want to encrypt messages, files, and other information shared on the platform.” However, the company simultaneously clarified that it had no current plans to make end-to-end encryption a default setting to all users, regardless of membership status. Default end-to-end encryption, according to Slack, would place too many limitations on the platform, specifically on its search feature and its third-party application integrations. And so, the very same elements that foster the convenience and efficiency that Slack users have grown accustomed to also serve as the platform’s most problematic security vulnerabilities.

Opening the Door to Contaminated Webhooks and Malicious Applications

Enabling third-party apps on Slack may put delicate, valuable data in jeopardy, leaving companies and their employees vulnerable to catastrophic, irreparable security breaches. Unfortunately, Slack gives the responsibility of adjusting third-party app permissions to the user, in turn, leaving room for simple errors, or even malicious interceptions — potentially landing sensitive information in unintended hands. In some cases, linked third-party applications may be empowered to perform independent actions on behalf of the user or of the application. Default permissions that allow a linked third-party application to post messages on channels, modify or edit content, and create additional channels may open up users on a given workspace to cybersecurity threats. For example, “incoming webhooks,” or the technology which enables third-party applications to post messages on Slack channels independently, have the potential to become hijacked and leveraged to fulfill phishing scams. A contaminated webhook might be able to change permissions regarding channel postings. This would allow malicious actors to trick Slack users into installing malicious applications — which operate as third-party apps linked with Slack — making sensitive company data discussed and shared via Slack, especially vulnerable.

Steps to a Safer Slack Environment

As a result of the several security vulnerabilities posed by Slack’s third-party application permission policies, users are advised to proceed with caution when linking such applications to their Slack workspaces. Slack’s virtually unlimited data retention policy and lax default settings make it difficult to achieve thorough data security on the platform, a battle continuously fought by those at the Electronic Frontier Foundation. However, several best practices can help users achieve heightened data protection when utilizing this collaborative tool.:

●     Before allowing a third-party application to be added to one’s workspace, diligently evaluate the app’s default permissions.

●     Be sure to immediately adjust any bothersome permissions, such as default access to files, messages, channel names, profile information, and the like.

●    Added security measures and monitoring services if you are concerned about the security of your company’s Slack channels, threads, and DMs.

References

Dellinger, AJ. “Are Slack Messages Really Private? Here’s What to Know.” Mic, Mic, 19 May 2020, www.mic.com/p/are-slack-messages-really-private-heres-what-to-know-18715126.

Slack. “Understand App Permissions.” Slack Help Center,

slack.com/help/articles/115003461503-Understand-app-permissions-.

Polymer protects against data loss (DLP) on modern collaboration tools like Slack, Dropbox, Zoom and more with configurable real-time redaction of sensitive and regulated information such as PII, PHI, financial and security data.

Yasir Ali |  yali@polymerhq.io  |  www.polymerhq.io

SHARE

Get latest blogs delivered to your inbox