The Dark Side of AI: How Slack’s AI Assistant Can Be Tricked into Leaking Sensitive Information
As a long-time user of Slack, I was excited to hear about the introduction of its AI assistant, designed to make our lives easier by summarizing unread messages, answering questions, and searching for files. However, my enthusiasm was short-lived, as I soon discovered that this AI tool can be tricked into leaking sensitive information and secrets with unauthorized users.
According to security researchers, a malicious actor can force the AI tool to disclose sensitive data from private Slack channels they’re not a part of. This can be done by creating a public Slack channel and inputting a malicious prompt, which the AI reads and responds to by providing a clickable URL. Clicking on the URL will send the sensitive data to the attacker-controlled website, where they can pick it up.
“The attack revolves around creating a public Slack channel and inputting a malicious prompt, which the AI reads. It will then instruct the Large Language Model (LLM) to respond to queries for the API key by providing a clickable URL. Clicking on the URL will send the API key data to the attacker-controlled website, where they can pick it up.” - PromptArmor
This vulnerability is not limited to API keys; it can also be used to grab files uploaded to Slack, as the AI reads those too. What’s even more alarming is that the hackers don’t even need to be part of the Slack workspace to steal secrets. All they need to do is hide the malicious prompt in a document and get a workspace member to upload it (with social engineering, for example).
Salesforce, which owns Slack, has apparently patched the bug for private channels. However, public ones seem to have remained vulnerable. PromptArmor says Salesforce told it that “messages posted to public channels can be searched for and viewed by all Members of the Workspace, regardless if they are joined to the channel or not. This is intended behavior.”
As a user of Slack, I’m concerned about the security of my sensitive information. While I appreciate the convenience of the AI assistant, I believe that security should be the top priority. I hope that Salesforce will take immediate action to address this vulnerability and ensure that our data is protected.
In the meantime, I recommend that users be cautious when using the AI assistant and avoid clicking on suspicious links or downloading files from unknown sources. It’s also essential to keep our software up to date and use strong passwords to protect our accounts.
As the use of AI becomes more widespread, we need to be aware of the potential risks and take steps to mitigate them. This incident serves as a reminder that even the most advanced technology can have vulnerabilities, and it’s up to us to stay vigilant and protect our sensitive information.
“If a user downloads a PDF that has one of these malicious instructions (e.g. hidden in white text) and subsequently uploads it to Slack, the same downstream effects of the attack chain can be achieved.” - PromptArmor
Let’s hope that Salesforce will take this incident seriously and take immediate action to address the vulnerability. In the meantime, let’s all be cautious and stay safe online.