Slack’s ability to integrate with so many third-party apps is one of its major selling points. These integrations allow teams to work together more efficiently, automate tasks, and customise Slack to their specific needs.

However, while these integrations are key to working effectively on Slack, the permissions they request can be wide-ranging - and risky.

This is because when you provide permissions to a third-party app in Slack, you place your sensitive data in their hands. If the app isn’t secure, neither is your data.

It’s critical, then, to understand the exact risks that third-party permissions pose, as well as the steps you need to take to keep your data completely secure.

What permissions do third parties in Slack have?

For third-party integrations to work, you need to provide them with certain permissions. When a third-party app requests these permissions, it’s telling you what level of access you’ll be granting it to your Slack data and how it will be able to use that data. Common permission types include:

• Reading messages: Allowing the app to view conversations within channels or direct messages it's authorised to access.
• Accessing user data: Granting the app the ability to see your profile information, email address, and potentially even other users' data depending on the specific permission scope.
• Sending messages on behalf of users: Enabling the app to post messages in channels or DMs directly.
• Access to file uploads and downloads: Granting the app the ability to view and potentially download files shared within authorised channels or DMs.

The specific permissions requested can vary significantly between different apps. Some may require minimal access, while others might seek broader permissions - bringing a higher security risk with them.

What risks do these third-party permissions bring about?

When you give third-party apps a high level of access to your workspace and its data, you place your security in their hands. If these apps aren’t secure - or worse still, are malicious apps posing as legitimate ones - accepting their permissions puts your data at risk.

The risks are particularly acute here because many businesses’ most sensitive data can be found in their Slack workspaces, often shared in channels with hundreds of users. This includes email and social media credentials, API keys, payment details, personal addresses, and passwords to other applications.

To manage this risk, Slack does offer certain basic security measures. These include providing users with their App Directory - where you can find verified Slack partners like Metomic - as well as the option for administrators to restrict app installations.

However, Slack’s inbuilt protections are not enough on their own. Research from the University of Wisconsin-Madison identified several vulnerabilities:

• Lack of code vetting: Slack doesn’t thoroughly review the code of third-party apps, relying instead on permissions granted upon installation. However, many apps have permissions that could potentially compromise security, such as posting messages as a user or accessing private channels without explicit permission.
• Default settings and permissions: By default, any user can install apps for the entire workspace, and apps can request permissions that allow them to perform potentially malicious actions. These include hijacking other apps' functions or impersonating users.
• Potential for malicious use: The study outlines possible attack vectors, such as malicious apps disguised as legitimate ones, or legitimate apps being compromised in a supply chain attack. The lack of access to the apps' underlying code means these changes could go undetected.

These vulnerabilities in Slack explain why so many stolen Slack credentials can be found for sale on the dark web. Researchers found 17,000 credentials from 12,000 different Slack workspaces being sold online, underscoring the scale of the problem.

It’s clear, then, that Slack isn’t a ‘set it and forget it’ platform when it comes to cybersecurity. Organisations need to take proactive measures to prevent cybercriminals from gaining access to their data on the platform.

How can my business mitigate third-party permission risks?

Slack itself sets out some best practices for managing app permissions, including:

• Implementing app approval settings at the workspace or organisational level to regulate app usage and data access.
• Establishing clear security criteria for approving or restricting apps, considering their permissions and potential data exposure.
• Thoroughly evaluating the permissions an app requests and the developer's security credentials to ensure compliance with your organisation's standards.
• Educating your team on the app request and approval process to enhance security awareness. This should be part of a wider tech-supported strategy to get your employees to proactively defend against cyberattacks, which we call the Human Firewall.

We would also add that you should encrypt your Slack data, both when stored and during transmission, to make it unreadable to intruders. This feature is typically available with both free and paid plans, but be sure to double check this and make sure it’s enabled.

These best practices represent a good starting point, but they won’t be enough on their own to completely secure your Slack data. Most businesses will need specialised cybersecurity software to locate and protect your sensitive data in Slack. This is where Metomic comes in.

How can Metomic help?

Metomic for Slack secures your sensitive data stored in the platform. Our solution:

• Locates your sensitive Slack data and identifies risks. Metomic gives you complete oversight over your sensitive data in Slack and pinpoints critical security risks.
• Protects your sensitive data in Slack automatically. Metomic's proven policies automate data redaction, data retention, and employee notifications, without hindering your employees’ workflows.

With Metomic’s protection, you can safely experience the vast productivity benefits of Slack.

We’ve helped customers like Oyster, who said: “We can police Slack to see if people are posting information that they shouldn’t. But a tool like Metomic makes it a lot easier for us to do that.”

To learn more about how our solution secures your Slack data, request a demo.