【Watch Japanese black stockings female doctor gives oral sex service to patients Online】

A security researcher has uncovered a flaw in Slack that could've been exploited to steal files over the business messaging app and Watch Japanese black stockings female doctor gives oral sex service to patients Onlinepotentially spread malware.

The flaw involves Slack's Windows desktop app, and how it can automatically send downloaded files to a certain destination—whether it be on your PC or to an online storage server. You can set a download location in the app's preferences section. However, David Wells, a researcher at the security firm Tenable, noticed there's another way to configure the option: Via a special link.

"Crafting a link like 'slack://settings/?update={ 'PrefSSBFileDownloadPath':'}' would change the default download location if clicked," Wells wrote in a blog post on the vulnerability.

Wells realized the same function could be abused. Imagine a hacker using the links to secretly reconfigure a Slack desktop app to send all downloaded files to an outside server. "Using this attack vector, an insider could exploit this vulnerability for corporate espionage, manipulation, or to gain access to documents outside of their purview," Well's security firm Tenable said in a separate report.

Mashable Light Speed Want more out-of-this world tech, space and science stories? Sign up for Mashable's weekly Light Speed newsletter. By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy Policy. Thanks for signing up!

Original image has been replaced. Credit: Mashable

The vulnerability can also pave the way for potential malware infections. Any downloaded files sent to the hacker-controller server can be altered and booby-trapped to include malicious code. The attack will commence once the victim opens the file on the Slack desktop app.

The main obstacle of carrying out this attack is circulating the hacker-created links to people on Slack, which keeps its channels private to paying clients and their companies. To pull this off, Wells noticed how Slack channels can be configured to subscribe to RSS feeds, including threads on Reddit.

"I could make a post to a very popular Reddit community that Slack users around the world are subscribed to," Wells said. The hacker-created link will then populate inside the Slack channel and possibly attract some clicks.

"This technique could be unmasked by savvy Slack users, however if decades of phishing campaigns have taught us anything, it's that users click links, and when leveraged through an untrusted RSS feed, the impact can get much more interesting," he added.

Slack has patched the flaw in version 3.4.0 of the Windows desktop app. "We investigated and found no indication that this vulnerability was ever utilized, nor reports that our users were impacted," the company said in an email.

---

Featured Video For You

---

Chadwick Boseman tapped to play history's first black samurai

---

• Deals
• Life
• Shopping
• Digital Culture
• Games
• Tech
• Entertainment
• Science

• Assassin's Creed Origins: How Heavy is It on Your CPU?
• Yes, mobile VR is possible without strapping a smartphone to your face
• 10 gifts to give Ruth Bader Ginsburg on her 84th birthday
• Blizzard Entertainment is suing a cheating service for $8.7 million
• Get a free soundbar when you buy a 34
• Samsung's fancy Galaxy Tab S3 costs just as much as an iPad Pro, but it comes with the S
• This guy is crowdfunding to send politicians a spine
• 10 gifts to give Ruth Bader Ginsburg on her 84th birthday
• Fritz vs. Monfils 2025 livestream: Watch Australian Open for free
• McDonald's debuts mobile app so you can order all the Big Macs you can eat

• Facebook cofounder and others pledge $10 million toward universal basic income research
• The company that sells Snuggies just sued Amazon
• New Google Play policies aim to fix loot boxes, curb sex and hate
• 'Minecraft: Story Mode' will be discontinued on June 25
• Kid Rock is selling Trump shirts and they're as bad as you'd expect
• #Pizzagate might have claimed its first casualty in Trump’s team
• Apple TV will support Xbox and PlayStation controllers
• Apple could save music lovers from the disaster that is iTunes
• Pizzagate truthers targeting Brooklyn shop have apparently never seen a hipster
• Lil Nas X performed for the kids who went crazy for 'Old Town Road'

• Collins vs. Jabeur 2025 livestream: Watch Adelaide International for free
• Apple Music threw an awkward rap party at SXSW, and we were there for the weirdness
• Gathering 900 collectibles in 'Zelda' gets you a pile of literal sh*t
• The Fleshlight Launch is basically a giant robot hand you can hump
• NYT mini crossword answers for January 3, 2025
• Gathering 900 collectibles in 'Zelda' gets you a pile of literal sh*t
• iRobot will Alexa voice commands to Roomba 900 series robot vacuums
• Even an official poll can't stop the pineapple pizza debate tearing America apart
• Best Xbox Elite Series 2 deal: Save $32 on this pro
• Digital wall aims to protest Trump with 1,926 miles of immigrant art

• Cyrix: Gone But Not Forgotten
• The 5 second rule might not be that gross after all, scientists say
• Of course Snoop Dogg has no time for Donald Trump's weird tweets
• Superhero comics creators: we're political, and always have been
• Best MacBook deal: Save $200 on 2024 M3 MacBook Air
• Donald Trump is killing Meals on Wheels and it's a serious problem
• The 5 second rule might not be that gross after all, scientists say
• The internet is not impressed with Barack Obama's March Madness bracket
• Wordle today: The answer and hints for January 28, 2025
• Facebook is rolling out yet another Stories feature — this time on your News Feed