“Compared to iOS or Android, I would say their security model is at least five to six years behind,” one researcher said. In a conversation with Wired-which is how I discovered this study-one of the researchers noted that malicious Teams and Slack apps could post messages as a user, hijack the functionality of other apps, or even bypass permissions to access private content. “Some of the design choices exacerbate the security and privacy concerns: all-or-nothing permissions that disallow selective toggling of permissions imperceptible installation that reduces the chances for users to notice what kinds of apps are installed and also prevents any workspace-wide consent mechanisms and pure server-side implementation that prevents BCPs or other entities from inspecting the app’s behavior through traditional tools like static or dynamic analysis,” the study explains. And the findings are not confidence-inspiring. The study focuses on Slack and Microsoft Teams because they are the two most widely-used BCPs and have mature app ecosystems, but it notes that any security findings might apply to other BCPs as well. “Although there is work on understanding the operational security issues of BCPs, to our knowledge, no work has examined the third-party app model.” “It is vital to understand the security and privacy properties of this emerging class of distributed multi-user collaboration platforms,” the study explains.
The study, conducted by researchers at the University of Wisconsin-Madison, describes Teams and Slack as Business Collaboration Platforms (BCPs) that exceed the capabilities of typical apps and services by offering extensibility models by which developers can write apps that run within these BCPs and greatly expand their functionality.
A new study claims that Microsoft Teams and Slack are basically operating systems, and yet they’re each missing a core piece of functionality: the privacy and security controls provided by mobile app stores.
0 kommentar(er)
