A new study claims that Microsoft Teams and Slack are basically operating systems, and yet they’re each missing a core piece of functionality: the privacy and security controls provided by mobile app stores.
The study, conducted by researchers at the University of Wisconsin-Madison, describes Teams and Slack as Business Collaboration Platforms (BCPs) that exceed the capabilities of typical apps and services by offering extensibility models by which developers can write apps that run within these BCPs and greatly expand their functionality.
“It is vital to understand the security and privacy properties of this emerging class of distributed multi-user collaboration platforms,” the study explains. “Although there is work on understanding the operational security issues of BCPs, to our knowledge, no work has examined the third-party app model.”
The study focuses on Slack and Microsoft Teams because they are the two most widely-used BCPs and have mature app ecosystems, but it notes that any security findings might apply to other BCPs as well. And the findings are not confidence-inspiring.
“Some of the design choices exacerbate the security and privacy concerns: all-or-nothing permissions that disallow selective toggling of permissions; [an] imperceptible installation that reduces the chances for users to notice what kinds of apps are installed and also prevents any workspace-wide consent mechanisms; and pure server-side implementation that prevents BCPs or other entities from inspecting the app’s behavior through traditional tools like static or dynamic analysis,” the study explains.
In a conversation with Wired—which is how I discovered this study—one of the researchers noted that malicious Teams and Slack apps could post messages as a user, hijack the functionality of other apps, or even bypass permissions to access private content. “Compared to [the app stores on] iOS or Android, I would say their security model is at least five to six years behind,” one researcher said.
The researchers have contacted Microsoft and Slack with their findings and while both confirmed that the attack techniques they describe are possible, both companies told them that they didn’t “meet their definitions of a security vulnerability,” because they require deceiving users into installing a malicious app. But that’s sort of the problem: it’s the job of the platform to protect users from malicious apps. Microsoft and Slack seem to be putting this responsibility on IT administrators here.