Collaboration apps like Slack and Microsoft Teams have become the connective tissue of the modern workplace, tying together users with everything from messaging to scheduling to video conference tools. But as Slack and Teams become full-blown, app-enabled operating systems of corporate productivity, one group of researchers has pointed to serious risks in what they expose to third-party programs—at the same time as they're trusted with more organizations' sensitive data than ever before.

A new study by researchers at the University of Wisconsin-Madison points to troubling gaps in the third-party app security model of both Slack and Teams, which range from a lack of review of the apps’ code to default settings that allow any user to install an app for an entire workspace. And while Slack and Teams apps are at least limited by the permissions they seek approval for upon installation, the study's survey of those safeguards found that hundreds of apps' permissions would nonetheless allow them to potentially post messages as a user, hijack the functionality of other legitimate apps, or even, in a handful of cases, access content in private channels when no such permission was granted.

“Slack and Teams are becoming clearinghouses of all of an organization’s sensitive resources,” says Earlence Fernandes, one of the researchers on the study who now works as a professor of computer science at the University of California at San Diego, and who presented the research last month at the USENIX Security conference. “And yet, the apps running on them, which provide a lot of collaboration functionality, can violate any expectation of security and privacy users would have in such a platform.”

When WIRED reached out to Slack and Microsoft about the researchers' findings, Microsoft declined to comment until it could speak to the researchers. (The researchers say they communicated with Microsoft about their findings prior to publication.) Slack, for its part, says that a collection of approved apps that is available in its Slack App Directory does receive security reviews before inclusion and are monitored for any suspicious behavior. It "strongly recommends" that users install only these approved apps and that administrators configure their workspaces to allow users to install apps only with an administrator's permission. "We take privacy and security very seriously," the company says in a statement, "and we work to ensure that the Slack platform is a trusted environment to build and distribute apps, and that those apps are enterprise-grade from day one."

But both Slack and Teams nonetheless have fundamental issues in their vetting of third-party apps, the researchers argue. They both allow integration of apps hosted on the app developer's own servers with no review of the apps' actual code by Slack or Microsoft engineers. Even the apps reviewed for inclusion in Slack's App Directory undergo only a more superficial check of the apps' functionality to see whether they work as described, check elements of their security configuration such as their use of encryption, and run automated app scans that check their interfaces for vulnerabilities.

Despite Slack's own recommendations, both collaboration platforms by default allow any user to add these independently hosted apps to a workspace. An organization's administrators can switch on stricter security settings that require the administrators to approve apps before they're installed. But even then, those administrators must approve or deny apps without themselves having any ability to vet their code, either—and crucially, the apps' code can change at any time, allowing a seemingly legitimate app to become a malicious one. That means attacks could take the form of malicious apps disguised as innocent ones, or truly legitimate apps could be compromised by hackers in a supply chain attack, in which hackers sabotage an application at its source in an effort to target the networks of its users. And with no access to apps' underlying code, those changes could be undetectable to both administrators and any monitoring system used by Slack or Microsoft.

All of that leaves users—who have grown accustomed to more well-secured third-party app environments, such as the code reviews implemented in Apple's App Store and Google Play—vulnerable to risks they don't expect when they install a seemingly innocent app on their organization's collaboration workspace. "Compared to iOS or Android, I would say their security model is at least five to six years behind," University of Wisconsin researcher Yunang Chen says of Slack and Teams.

As in other stricter app models, Slack and Teams limit apps' data access with a set of permissions that users must approve for an app to be installed. But—setting aside that a single user can often approve those access permissions for an entire organization—the researchers found that apps' permissions can sometimes allow them to perform unexpected and dangerous behaviors. An app intended for scheduled posts that asks for the ability to post as the user can, for instance, impersonate them as part of a phishing scheme or send messages from their account to trigger another app's functionality. In some instances, software developers even allow changes to their code repositories based on Slack messages, potentially allowing an app that sends messages from a user account to alter code and corrupt their software.

In another attack, researchers found that apps can "overwrite" the command that launches another app in Slack or Teams, such as typing "/zoom" in one of the platforms to start a Zoom meeting. A malicious app, the researchers point out, could hijack that command to make "/zoom" instead launch an imposter copy of Zoom that intercepts all the users' communications. While the researchers note that Slack has recently added a safeguard that warns when an app overwrites a command in this way, it warns the user only upon installation of the app, and malicious apps can still perform that takeover trick after they're installed.

To get a sense of just how many apps might pose these sorts of risks, the researchers surveyed the permissions of all Slack and Teams apps and found that about one in three Teams apps and almost one in four Slack apps ask for permissions that would allow them to act as the user, posting messages or adding emoji reactions on their behalf. 52 percent of Slack apps ask for permissions that would allow them to overwrite another app's launch command.

The researchers also point to yet another security issue, specific to Slack, that can allow an app to access private channels that are "locked" and intended to be accessible only to specific users—even when the app asks for no such permission. The researchers found that when a link to a message in a private channel is copied into a user's direct messages to themselves, the private channel message "unfurls," and its text appears in that conversation if the user is a member of the private channel. So an app that merely asks for read and write access to a user's direct messages and basic information about—but not the content of—their private channels can also read all the messages posted to a private channel. (The app could also quickly delete the direct messages it sends to the user as part of the attack, to avoid leaving a record of its snooping.) In their survey of app permissions, the researchers found 11 Slack apps that ask for exactly those permissions, and thus could gain this unexpected private channel access.

Despite Microsoft's response to WIRED that it wanted to discuss the researchers' findings before commenting, the researchers write in their paper that they approached both Slack and Microsoft with their findings prior to publication, and both companies confirmed that their attack techniques were possible. They write, however, that Slack and Microsoft didn't consider their findings to "meet their definitions of a security vulnerability," since they required deceiving users into installing a malicious app, and both Slack and Microsoft expect workspace administrators to police those installations. But that response only puts the onus on administrators, argues University of Wisconsin researcher Yue Gao, who "are even worse off than Slack" when it comes to assessing an app's legitimacy.

Some of the problems that the researchers identified in Slack and Teams—like apps' ability to overwrite other apps' launch commands and read messages in private channels—could be fixed with relatively simple patches, says Andrei Sabelfeld, a computer science professor at Chalmers University of Technology in Sweden who reviewed the researchers' work. But if Slack and Teams apps continue to be hosted on third-party servers, the deeper problem would remain. "There's no way to have any account of what the developers are doing," Sabelfield says. "This points to a fundamental tension: The code is outside their control."

That means, both Sabelfield and the University of Wisconsin researchers argue, that any real fix would require Slack and Microsoft to broadly overhaul their app model to make it more like traditional operating systems that carefully vet the code of apps, monitor that code for changes, and strictly enforce the permissions apps are granted. If Slack and Teams are going to become the hub traversed by every organization's holiest of holy data, in other words, it's time they took better care of who is invited to the inner sanctum.