Collaboration apps like Slack and Microsoft Teams have become the connective tissue of the modern workplace, tying together users with everything from messaging to scheduling to video conference tools. But as Slack and Teams become full-blown, app-enabled operating systems of corporate productivity, one group of researchers has pointed to serious risks in what they expose to third-party programs—at the same time as they’re trusted with more organizations ‘ sensitive data than ever before.
A new study by researchers at the University of Wisconsin-Madison points to troubling gaps in the third-party app security model of both Slack and Teams, which range from a lack of review of the apps’ code to default settings that allow any user to install an app for an entire workspace. And while Slack and Teams apps are at least limited by the permissions they seek approval for upon installation, the study’s survey of those safeguards found that hundreds of apps’ permissions would nevertheless allow them to potentially post messages as a user, hijack the functionality of other legitimate apps, or even, in a handful of cases, access content in private channels when no such permission was granted.
“Slack and Teams are becoming clearinghouses of all of an organization’s sensitive resources,” says Earlence Fernandes, one of the researchers on the study who now works as a professor of computer science at the University of California at San Diego, and who presented the research last month at the USENIX Security conference. “And yet, the apps running on them, which provide a lot of collaboration functionality, can violate any expectation of security and privacy users would have in such a platform.”
When WIRED reached out to Slack and Microsoft about the researchers’ findings, Microsoft declined to comment until it could speak to the researchers. (The researchers say they communicated with Microsoft about their findings prior to publication.) Slack, for its part, says that a collection of approved apps that is available in its Slack App Directory does receive security reviews before inclusion and are monitored for any suspicious behavior . It “strongly recommends” that users install only these approved apps and that administrators configure their workspaces to allow users to install apps only with an administrator’s permission. “We take privacy and security very seriously,” the company says in a statement, “and we work to ensure that the Slack platform is a trusted environment to build and distribute apps, and that those apps are enterprise-grade from day one.”
But both Slack and Teams nevertheless have fundamental issues in their vetting of third-party apps, the researchers argue. They both allow integration of apps hosted on the app developer’s own servers with no review of the apps’ actual code by Slack or Microsoft engineers. Even the apps reviewed for inclusion in Slack’s App Directory undergo only a more superficial check of the apps’ functionality to see whether they work as described, check elements of their security configuration such as their use of encryption, and run automated app scans that check their interfaces for vulnerabilities.
Despite Slack’s own recommendations, both collaboration platforms by default allow any user to add these independently hosted apps to a workspace. An organization’s administrators can switch on stricter security settings that require the administrators to approve apps before they’re installed. But even then, those administrators must approve or deny apps without themselves having any ability to know their code, either—and crucially, the apps’ code can change at any time, allowing a seemingly legitimate app to become a malicious one. That means attacks could take the form of malicious apps disguised as innocent ones, or truly legitimate apps could be compromised by hackers in a supply chain attack, in which hackers sabotage an application at its source in an effort to target the networks of its users. And with no access to apps’ underlying code, those changes could be undetectable to both administrators and any monitoring system used by Slack or Microsoft.