antikvm.blogg.se - Slack download bug

Laptop versions of these chipsets may work, but may run comparatively slower.

This game will not run on PowerPC (G3/G4/G5) based Mac systems, or the GMA 950 class of integrated video cards.

ATI X1600 or Nvidia 7300 GT with 128 MB of Video RAM, or Intel Integrated GMA X3100.

2.6 GHz Pentium D CPU, or 1.8 GHz Core 2 Duo, or equivalent.

Intel Integrated Chipset, GMA 3-Series or above.

At least 6.1 GB of hard drive space with at least 1 GB of additional space for custom content and saved gamesįor computers using built-in graphics chipsets under Windows, the game requires at least:.

128 MB Video Card with support for Pixel Shader 2.0.

Looking at the functions, we can see an interesting one in protocol-link.ts module, which has the ability to change Slack app settings if clicked.The Sims™ 3 Minimum Hardware Requirements I figured this may be an interesting attack vector, so with some grepping I found the area of code that processes these protocol links.

As a Slack user, one feature that I was already familiar with was the support for “ slack://” hyperlinks. Slack is an Electron app, which makes reverse engineering quite easy for us. We will go over some interesting applications of this attack. This entire technique relied on how Slack treated clickable links and what was possible with certain slack:// links. While on the attacker’s server, the attacker could have not only stolen the document, but even inserted malicious code in it so that when opened by victim after download (through Slack application), their machine would have been infected. This could have allowed all future downloaded documents by the victim to end up being uploaded to an attacker owned file server until the setting is manually changed back by the victim. The vulnerability could have allowed a remote attacker to submit a masqueraded link in a slack channel, that “if clicked” by a victim, would silently change the download location setting of the slack client to an attacker owned SMB share.

The vulnerability was reported to Slack via HackerOne based on our coordinated disclosure policy and Slack has patched this issue in one of its latest updates, v3.4.0.

I’m going to go over an interesting feature abuse that could have been used to steal and even manipulate downloads from Slack users using the Slack desktop app on Windows.