niomthailand.blogg.se - Slack open links in chrome

I opened the Jira app in Slack’s apps directory and noticed it has a permission called links:read. This contradicted everything I knew about Slack’s permissions model, so I investigated. Checking the members list of the channel confirmed that indeed, Jira bot wasn’t a member. This link was sent in a private channel, and I don’t recall ever adding Jira bot to this channel. So imagine my surprise when, last week, I sent a link to a Jira ticket to a colleague and got a reply from Jira bot. Even for workspace owners, accessing users’ private conversations is limited to a special permission available only for enterprise organizations.

This principle holds true both for bot and user-based apps.

It is worth noting that as a user in a Slack workspace, I should be able to grant an app access to my conversations, but neither I nor the apps I installed should be able to access private conversations of other users. The bot user can be added to channels like any other user, so if the application has the `groups:read` bot permission, it will be able to see the private channels that the bot was added to.

Bot permissions - these permissions allow the application to act as a separate user in the workspace.

For example, if the application has the groups:read user permission, it will be able to see the private channels that are visible to the user that installed it.

User permissions - these permissions allow the application to act on behalf of the user who installed it.

In general, an installed application can have two types of permissions: This post is about one example: what could it mean for a Slack app to have access to URLs the app provider isn’t necessarily entitled to?īefore we dive in, let’s recap how Slack models app permissions. Just like any access claim, it may be challenging to restrict a third-party application’s access to resources it is entitled to – especially if these resources are external. Apps permissions are managed through OAuth scopes, much like other app ecosystems (e.g. Slack’s ecosystem of third-party apps and integrations is said to include more than 2,400+ in its directory, with possibly tens of thousands of others that haven’t made it to the Slack marketplace.

This can be used to collect sensitive information and carry targeted phishing attacks. Tl dr - Slack’s permission model lets apps read and preview any link shared anywhere in the workspace, including in private channels and conversations.