Slack AI could be tricked into leaking login details and more

The slack logo on a mobile phone in front of a purple wall with the slack logo on it
Slack - nu med lite mer (artificiell) intelligens. (Image credit: Shutterstock)

Security researchers claim to have uncovered a way to trick Slack’s AI assistant into sharing sensitive information and other secrets with unauthorized users

Slack, which is used by more than 35 million people worldwide, introduced its own Artificial Intelligence (AI) tool in September 2023, allowing users to summarize multiple unread messages, answer different questions, search for files, and more.

But as we’ve seen with other chatbots in the past, with a carefully crafted prompt (a command given to the AI), a malicious actor could force the tool to disclose sensitive data from private Slack channels they’re not a part of.

"Intended behavior"

Security firm PromptArmor, which found the flaw and reported it to Salesforce, explained how crooks could steal API keys, for example:

"We demonstrate how this behavior will allow an attacker to exfiltrate API keys that a developer put in a private channel (that the attacker does not have access to)."

The attack revolves around creating a public Slack channel and inputting a malicious prompt, which the AI reads. It will then instruct the Large Language Model (LLM) to respond to queries for the API key by providing a clickable URL. Clicking on the URL will send the API key data to the attacker-controlled website, where they can pick it up.

Aside from API keys, the crooks could also abuse this vulnerability to grab files uploaded to Slack, as well, since the AI reads those, too.

Furthermore, because the AI reads files as well, the hackers don’t even need to be a part of the Slack workspace to be able to steal secrets. All they need to do is hide the malicious prompt in a document and get a workspace member to upload it (with social engineering, for example).

"If a user downloads a PDF that has one of these malicious instructions (e.g. hidden in white text) and subsequently uploads it to Slack, the same downstream effects of the attack chain can be achieved," PromptArmor said.

Salesforce, which owns Slack, says it has apparently patched the bug, with a company spokesperson telling TechRadar Pro, "When we became aware of the report, we launched an investigation into the described scenario where, under very limited and specific circumstances, a malicious actor with an existing account in the same Slack workspace could phish users for certain data. We’ve deployed a patch to address the issue and have no evidence at this time of unauthorized access to customer data. Full updates are available at http://slack.com/blog/news/slack-security-update-082124."

PromptArmor says Salesforce told it that "messages posted to public channels can be searched for and viewed by all Members of the Workspace, regardless if they are joined to the channel or not. This is intended behavior."

Via The Register

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.