Watch out - sharing a Wikipedia link on Slack could be a serious security no-no

What if a Wikipedia link preview in Slack was malicious?

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Cybersecurity researchers from eSentire have discovered a glitch in how Slack renders Wikipedia articles that could be abused to trick users into openingmalware-laden websites.

In popular messaging apps, including Slack, when a user forgets to add a space between a full stop and the first letter of the next sentence, the app will perceive it as a domain, and render the link accordingly. Typing “face.book me for…,” for instance, will becomehttp://face.book.

Now, if a malicious user edits a Wikipedia article at the right place and adds a reference footnote, they can trick Slack into rendering a link that doesn’t exist in the article. That link can later be edited to redirect the victim to a malicious website.

A lot of due diligence required

A lot of due diligence required

From that point on, all it takes is a little creativity to get the victim to click on the link in the preview of the otherwise benign Wikipedia link to be servedmalware.

This isn’t that uncommon on Wikipedia, either. The researchers have found more than 1,000 examples of pages where the reference footnote was added to the exact location to get the Slack preview pane to generate a link.

The same method works on other websites, too, like Medium, for example. However, the researchers have focused on Wikipedia because they believe it to be an authoritative, trusted source (although that’s debatable).

Obviously, to make it work, the attackers will first need to make sure that the victim has Slack, then join their workspace (possibly via a compromised account), and share a link that the victim will find interesting to lure them in.

Are you a pro? Subscribe to our newsletter

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Given thesuccess of phishing attacks, it certainly wouldn’t be surprising to see this kind of attack being attempted. Slack has also had some other security concerns recently, such as its ratherlax approach to accepting third-party app integration.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

NYT Strands today — hints, answers and spangram for Sunday, November 10 (game #252)