Slack is one of many platforms that have integrated AI-powered features to boost productivity. It offers similar capabilities to other services, including summarizing messages, answering questions, etc. However, it appears that malicious third parties could trick Slack AI into revealing sensitive details, even from private groups.
Salesforce, owners of Slack, say that its AI implementation “uses the conversation data already in Slack to create an intuitive and secure AI experience tailored to you and your organization.” It basically acts as a chatbot trained on Slack users’ data. These types of implementations carry the risk of exposing private data if there are no proper security measures. Developers must set methods that prevent certain prompts from returning sensitive outputs.
Attackers could get data shared in private channels using Slack AI prompts
That said, it seems that Slack AI is vulnerable to prompt injection attacks. PromptArmor, a cyber security firm, found the vulnerability and reported it to the Salesforce team. According to the report, the vulnerability allows attackers to “leak API keys that a developer has put into a private channel (which the attacker does not have access to).” API keys, documents, or conversations, the vulnerability would offer access to what is shared in private channels.
So, theoretically, the vulnerability would allow a targeted attack against someone in particular. For example, if a malicious third party wants to access data (like login credentials) that a certain person has access to, they could convince them through social engineering to share it on a private channel. Then, the attacker would only have to use certain prompts to get the data. It is not even necessary to be part of a private group.
Attackers could even exploit the vulnerability with hidden instructions in documents. PromptArmor says that “if a user downloads a PDF that has one of these malicious instructions (e.g., hidden in white text) and subsequently uploads it to Slack, the same downstream effects of the attack chain can be achieved.”
Private channel vulnerability reportedly fixed; public channel behavior is “intended”
According to the report, the private channel vulnerability has already been fixed. On the other hand, public channels are still prone to prompt injections into Slack AI to get sensitive details. However, it seems that behavior in public channels will not change. In this regard, Salesforce said that “messages posted to public channels can be searched for and viewed by all Members of the Workspace, regardless if they are joined to the channel or not. This is intended behavior.”
2024-08-23 15:09:58