Collaboration apps like Slack and Microsoft Teams have become the connective tissue of the modern workplace, tying together users with everything from messaging to scheduling to video conference tools. But as Slack and Teams become full-blown, app-enabled operating systems of corporate productivity, one group of researchers has pointed to serious risks in what they expose to third-party programs—at the same time as they're trusted with more organizations' sensitive data than ever before.
A new study by researchers at the University of Wisconsin-Madison points to troubling gaps in the third-party app security model of both Slack and Teams, which range from a lack of review of the apps’ code to default settings that allow any user to install an app for an entire workspace. And while Slack and Teams apps are at least limited by the permissions they seek approval for upon installation, the study's survey of those safeguards found that hundreds of apps' permissions would nonetheless allow them to potentially post messages as a user, hijack the functionality of other legitimate apps, or even, in a handful of cases, access content in private channels when no such permission was granted.
“Slack and Teams are becoming clearinghouses of all of an organization’s sensitive resources,” says Earlence Fernandes, one of the researchers on the study who now works as a professor of computer science at the University of California at San Diego, and who presented the research last month at the USENIX Security conference. “And yet, the apps running on them, which provide a lot of collaboration functionality, can violate any expectation of security and privacy users would have in such a platform.”
When WIRED reached out to Slack and Microsoft about the researchers' findings, Microsoft declined to comment until it could speak to the researchers. (The researchers say they communicated with Microsoft about their findings prior to publication.) Slack, for its part, says that a collection of approved apps that is available in its Slack App Directory does receive security reviews before inclusion and are monitored for any suspicious behavior. It "strongly recommends" that users install only these approved apps and that administrators configure their...