Researchers discovered a serious vulnerability in the special service of the popular communication tool, Slack AI. An adversary can steal data from private Slack channels by injecting malicious clues into Slack AI.
Slack AI vulnerability allowed stealing data via quick injection
According to a recent after from PromptArmor, Slack AI exposes the data and chats of private channels in response to a quick injection.
Slack AI is a recently launched feature of Slack that provides users with a fast AI assistant. This feature allows users to search for answers to questions, generate channel highlights or summaries, and create summaries of long conversations for instant reference.
To achieve all these purposes, Slack AI has explicit access to users’ conversations across private and public channels. Attackers can exploit this to gain access to data from unrelated channels, especially private channels.
The researchers explained that an adversary can perform quick injection attacks to extract data from private Slack channels. That’s because the LLM cannot distinguish between genuine and malicious clues. Therefore, an adversary can inject clues into Slack AI to steal information from other channels without joining them.
Initially, Slack AI only processed text messages. However, the latest versions also accept other data, such as Google Drive links and file attachments. This wide range of data accessible to Slack AI also increases the scope of information at risk of rapid injection attacks. An attacker can even request sensitive data, such as private documents or API keys, from private, unrelated channels via Slack AI. To do this, the attacker simply needs to create a public channel to request Slack AI.
The researchers shared the technical details about this issue in their post.
Salesforce has confirmed the deployment of a patch
Following this discovery, the researchers responsibly disclosed the issue to the Slack team. However, they could not convince the suppliers of the seriousness of the matter, because Slack considered the evidence of the vulnerability insufficient.
Nevertheless, this is stated in a statement The registrya Salesforce spokesperson confirmed that a patch has been deployed.
When we became aware of the report, we initiated an investigation into the described scenario where, under very limited and specific circumstances, a malicious actor with an existing account in the same Slack workspace could phish users for sensitive data. We have deployed a patch to resolve the issue and currently have no evidence of unauthorized access to customer data.
Let us know your thoughts in the comments.
source: https://www.theregister.com/2024/08/21/slack_ai_prompt_injection/
