Summary
- Slack was affected by a vulnerability in an AI-powered extension leaking private user data online.
- Over 1,000 unique users’ data from 200 companies was compromised in just an hour.
- Until the issue is fixed, users should take immediate remedial measures to reduce exposure.
Communication apps for personal use cannot be treated the same as those you would find in a corporate setting, and even the companies making the best chat apps have dedicated workspace-tier products. Slack is one such messaging app, and a popular tool for corporations of every size. Besides chat, voice, and video, it also helps boost productivity with browser-style extensions, but these extensions sometimes pack dangers. Case in point, an AI-powered integration was recently caught streaming private Slack messages online.
Related
The 5 best AI apps for your Android phone or tablet
Cut through the clutter to find the best AI apps for your Android
An AI-powered assistant called Struct Chat available as an extension for Slack was the subject of a recent Cybernews investigation (via TechRadar) when the outlet found an unprotected web service streaming important user data without authorization. The vulnerability was found in an Apache Kafka Broker that’s a hub for data from multiple different applications, and a bad actor-favorite.
It processes everything from GitLab commits to Slack conversations, and if compromised, gives unethical parties access to the same. In Slack, Struct AI uses a ChatGPT core to summarize discussions, but the broker vulnerability allowed the extension to leak everything from usernames, email addresses, conversations with others and the AI bot, team names, links to internal URLs, and when users perform Slack actions, like updating their profile.
Millions of users at risk from active vulnerability
Deploy remedial measures immediately
It’s easy to see how this is a critical vulnerability in Slack, and since device IDs are visible along with users’ first and last names, hackers could target individuals with little effort. The report states that in an hour alone, over 1,000 unique users’ data from 200 unique companies is compromised. However, last Cybernews checked, the vulnerability is still open to exploitation, and the company ignored the outlet’s request for comment while the product description for Struct still promised user safety.
It has been a while since the leak was discovered on October 14 last year, and disclosed two days thereafter. CERT was contacted on December 4 to speed up remediation, but if you’re using the Struct Chat AI integration or know an enterprise that relies on it, we strongly suggest reducing your exposure, at least until the issue is satisfactorily patched.
