Security researchers say they have discovered a way to trick Slack's artificial intelligence assistant into sharing sensitive information and other secrets with unauthorized users.
Slack, used by over 35 million people worldwide, introduced its own Artificial Intelligence (AI) tool in September 2023, allowing users to summarize multiple unread messages, answer different questions, search for files, and more.
But as we've seen with other chatbots in the past, with a carefully crafted prompt (a command given to the AI), a malicious actor could force the tool to reveal sensitive data from private Slack channels that they're not a part of.
“Expected behavior”
Security firm PromptArmor, which found the flaw and reported it to Salesforce, explained how criminals could steal API keys, for example:
“We demonstrate how this behavior will allow an attacker to leak API keys that a developer put into a private channel (to which the attacker does not have access).”
The attack involves creating a public Slack channel and inserting a malicious message that the AI reads. It then instructs the large language model (LLM) to respond to API key queries by providing a clickable URL. Clicking the URL will send the API key data to the attacker-controlled website, where they can obtain it.
In addition to API keys, criminals could also exploit this vulnerability to obtain files uploaded to Slack, as these are also read by AI.
Plus, since AI also reads files, hackers don’t even need to be part of the Slack workspace to be able to steal secrets. All they need to do is hide the malicious message in a document and get a member of the workspace to upload it (using social engineering, for example).
“If a user downloads a PDF that has one of these malicious instructions (e.g. hidden in white text) and subsequently uploads it to Slack, the same downstream effects of the attack chain can be achieved,” PromptArmor said.
Slack owner Salesforce has apparently fixed the issue with private channels. Public ones, on the other hand, appear to have remained vulnerable. PromptArmor claims Salesforce told it that “messages posted in public channels can be searched and viewed by all members of the workspace, regardless of whether they are joined to the channel or not. This is intended behavior.”
Through The Registry