Hackers Can Access Private Slack Channels Due to Security Flaw

Hackers have discovered a new method to exploit AI tools within the popular workplace messaging app Slack, enabling the chatbot to send malware. This vulnerability, which allows malicious code to be disguised within uploaded documents and Google Drive files, raises concerns about the security of AI systems that lack the ability to discern harmful user requests. Slack's cybersecurity team responded promptly, patching the issue on the same day it was reported by external experts. The flaw was identified by cybersecurity researchers from PromptArmor, who noted that a recent update to Slack AI increased its susceptibility to malware. The update allowed the AI to ingest uploaded documents and files, thereby expanding the risk surface area. Hackers can now create private or public chat channels to obscure the origin of their malicious code, leading to a higher likelihood that Slack AI will execute harmful instructions. Akhil Mittal, a senior manager for cybersecurity strategy at Synopsys Software Integrity Group, expressed concerns about the safety of current AI tools, emphasizing that the rapid deployment of competing AI offerings in Silicon Valley has left them vulnerable. He highlighted the importance of not only fixing existing problems but also ensuring that these tools manage data securely. The widespread use of Slack across various organizations amplifies the potential risks associated with such vulnerabilities. PromptArmor warned that the issue of public channel sprawl could exacerbate the threat landscape, making it crucial for users to remain vigilant and consider disabling certain settings to mitigate exposure.