Slack and Microsoft Teams, arguably the two greatest online communication and collaboration methods (opens in a new tab) Current platforms allow hundreds of third-party applications to be enabled, and this is a security nightmare, experts said.
Researchers at the University of Wisconsin-Madison say that third-party applications are rarely reviewed by code by developers at Slack and Microsoft. Even those that do undergo a relatively superficial analysis where reviewers analyze whether the application is performing as intended or encrypting data, and run automatic scans for vulnerabilities.
The rest just sit on the app developers’ servers and integrate freely with Slack and Microsoft Teams.
Main threats
As these platforms become the de facto operating systems for corporate productivity, this is a major security risk, the researchers say.
“Slack and Teams are becoming the clearinghouse for all of the organisation’s sensitive resources,” said Earlence Fernandes, one of the study authors and professor of computer science at the University of California, San Diego. “And yet, applications running on them that provide multiple collaboration features can violate any user expectations for security and privacy on such a platform.”
For now, Microsoft remains silent on this issue until it can talk to the researchers in more detail.
On the other hand, Slack said it has a collection of approved applications that can be found in the Slack application directory, and “strongly recommends” users to only install these applications on their endpoints (opens in a new tab). The company added that they receive security reviews before being turned on and are monitored for suspicious behavior.
Additionally, Slack suggests IT administrators set up their workspaces to allow users to install applications only with administrator privileges. “We take privacy and security very seriously and are working to make Slack a trusted environment for development and distribution of applications, and to ensure that these applications are enterprise-class from day one,” the company concluded.
By: Wire (opens in a new tab)