Collaboration apps like Slack and Microsoft Teams have become the connective tissue of the modern workplace, connecting users to everything from messaging to scheduling to video conferencing tools. But as Slack and Teams become full-fledged, app-enabled operating systems for enterprise productivity, a group of researchers have pointed to serious risks in what they’re exposing to third-party programs — while at the same time trusting more organizations’ sensitive data than ever before.
A new study by researchers at the University of Wisconsin-Madison points to troubling gaps in Slack and Teams’ third-party app security model, ranging from a lack of inspection of the apps’ code to default settings that allow any user to install an app for an entire workspace. And while Slack and Teams apps are at least constrained by the permissions they seek approval for upon installation, the study’s survey of these safeguards found that hundreds of apps’ permissions would still allow them to potentially send messages as Users to post and hijack the functionality of other legitimate apps, or in a few cases even access content in private channels where no such permission has been granted.
“Slack and Teams are becoming the clearing house for all of an organization’s sensitive assets,” said Earlence Fernandes, one of the study’s researchers, who is now a professor of computer science at the University of California, San Diego and presented the research at USENIX Security last month Conference. “And yet the apps running on it, which offer many collaboration features, can violate any security and privacy expectations that users would have of such a platform.”
When WIRED updated Slack and Microsoft on the researchers’ findings, Microsoft declined to comment until it could speak with the researchers. (The researchers say they communicated with Microsoft about their findings prior to publication.) For its part, Slack says a collection of approved apps available in its Slack App Directory receive security reviews before inclusion and monitor for suspicious behavior becomes . It is “strongly recommended” that users only install these approved apps and that admins configure their workspaces to allow users to install apps only with an admin’s permission. “We take privacy and security very seriously,” the company said in a statement, “and we’re working to ensure that the Slack platform is a trusted environment for building and distributing apps, and that these apps are enterprise-ready from day one are suitable.”
But both Slack and Teams still have fundamental problems when reviewing third-party apps, the researchers argue. Both allow the integration of apps hosted on the app developer’s own servers without reviewing the apps’ actual code by Slack or Microsoft engineers. Even the apps that have been reviewed for inclusion in Slack’s App Directory only undergo a more cursory review of the apps’ functionality to see if they’re working as advertised, verifying elements of their security configuration such as the use of encryption, and Run automated app scans that check their interfaces for vulnerabilities.
Despite Slack’s own recommendations, both collaboration platforms allow any user to add these independently hosted apps to a workspace by default. An organization’s admins can enable tighter security settings that require admins to approve apps before they’re installed. But even then, those admins must approve or disapprove apps without even being able to review their code themselves—and crucially, apps’ code can change at any time, turning what appears to be a legitimate app into a malicious one. This means that attacks can come in the form of malicious apps disguised as harmless, or genuinely legitimate apps can be compromised by hackers in a supply chain attack, where hackers sabotage an application at its source to attack its users’ networks. And without access to the apps’ underlying code, these changes might be undetectable to both admins and any monitoring system used by Slack or Microsoft.