Researchers discovered a serious vulnerability in the popular communication tool’s special service, Slack AI. An adversary may steal data from private Slack channels by injecting malicious prompts into Slack AI.
Slack AI Vulnerability Allowed Stealing Data Via Prompt Injection
According to a recent post from PromptArmor, Slack AI exposes private channels’ data and chats in response to prompt injection.
Slack AI is a recently launched feature from Slack that empowers users with a swift AI assistant. This feature lets users seek answers to questions, generate channel highlights or recaps, and create thread summaries of long conversations for ready reference.
To achieve all these purposes, Slack AI has explicit access to users’ conversations across private and public channels. Attackers may exploit this to access data from unrelated channels, particularly private ones.
The researchers explained that an adversary may perform prompt injection attacks to extract data from private Slack channels. That is because the LLM cannot differentiate between genuine and malicious prompts. Hence, an adversary may inject prompts into Slack AI to steal information from other channels without joining them.
Initially, Slack AI only ingested text messages. However, the latest versions also accept other data, such as Google Drive links and file attachments. This wide range of data accessible to Slack AI also expands the extent of information at risk of prompt injection attacks. An attacker may even query sensitive data, such as private documents or API keys, from private, unrelated channels via Slack AI. For this, the attacker only needs to create a public channel to prompt Slack AI.
The researchers have shared the technical details about this issue in their post.
Salesforce Confirmed Deploying A Patch
After this discovery, the researchers responsibly disclosed the issue to the Slack team. However, they could not convince the vendors about the severity of the matter, as Slack deemed the evidence of vulnerability insufficient.
Nonetheless, in a statement to The Register, a Salesforce spokesperson confirmed deploying a patch.
When we became aware of the report, we launched an investigation into the described scenario where, under very limited and specific circumstances, a malicious actor with an existing account in the same Slack workspace could phish users for sensitive data. We’ve deployed a patch to address the issue and have no evidence at this time of unauthorized access to customer data.
Let us know your thoughts in the comments.
source: https://www.theregister.com/2024/08/21/slack_ai_prompt_injection/
