Criticism of Teams & Slack security:
Secure applications?
A recent study on Microsoft Teams and Slack criticizes the security of both apps. Some of them have serious gaps that companies know about.
News
An actual study on the security of app models used in corporate communications, criticizes the applications Slack and Microsoft Teams. They are not secure enough to protect users from attacks on sensitive company data.
The underlying investigations by the news site WIRED was picked up, partly show troubling gaps in their respective security models from Slack and Teams – from a lack of verification of third-party app codes to default settings that allow any user to install potentially dangerous apps for an entire workspace.
Furthermore, the researchers criticized that both Slack and Teams would potentially be able to post messages as a user after installing additional third-party apps, hijack the functionality of other legitimate apps, or even access content in private channels (specifically in the case of Slack), although the application itself no such permission granted became.
This is questionable insofar as many companies have been dependent on applications such as Teams or Slack, especially since the beginning of the pandemic. It not only collects sensitive information from private individuals, but also Company resources collected and shared. In many cases, several applications are linked to be able to communicate on many channels.
When asked by Wired, Slack pointed out that they have a collection of approved apps. These are available in the Slack App Directory and are thoroughly screened for security and suspicious behavior prior to inclusion. Therefore, Slack strongly recommends only install approved apps and allow changes only with admin rights.
However, the study states that the verification of the applications by Slack is only superficial occurs because Slack itself does not have access to the actual code of the apps. In both Slack and Teams, it is also possible by default to add other apps to a workspace that do not need to be checked further.
In comparison to the App Store on iOS devices or Google Play, the security model of applications such as Slack or Teams should therefore “five to six years behind“, which is a downright scathing judgment for both companies.
Microsoft and Slack knew about the study
Microsoft has not yet commented on the study. According to the researchers, the results were communicated to Microsoft and Slack in advance. Both companies are said to have stated that they are dealing with the problem don’t define it as a security vulnerabilitysince they are based on the knowing actions of the users.
According to the researchers, however, this view lays the whole Responsibility in the hands of the users and administrators when it comes to evaluating apps. These are even less able to recognize the legitimacy of unknown apps.
Some of the problems should be able to be fixed by “relatively simple patches”. However, if the Slack and Teams applications are still hosted on third-party servers, the “deeper problem” remains. Therefore, teams and Slack would have to fundamentally overhaul their app model to be able to guarantee more security.
Continue to home page
Reference-www.pc-magazin.de