Cybersecurity researchers uncovered a vulnerability in Slack’s link-rendering mechanism, where improper spacing between punctuation and text (e.g., `face.book`) could be exploited to generate deceptive hyperlinks. Attackers manipulated Wikipedia articles by inserting maliciously formatted footnotes, tricking Slack into displaying fake links in preview panes. These links, when clicked, redirected victims to malware-hosting sites. Over 1,000 Wikipedia pages were identified as potential vectors. The attack required prior access to a victim’s Slack workspace (e.g., via compromised accounts) and relied on social engineering to lure clicks. While no direct data breaches or financial losses were confirmed, the flaw exposed users to phishing and malware risks, undermining trust in Slack’s platform security. The issue also highlighted broader concerns about Slack’s third-party app integration policies, which could amplify attack surfaces. No evidence suggested large-scale exploitation, but the method’s simplicity and reliance on trusted sources (Wikipedia) increased its potential effectiveness.
TPRM report: https://www.rankiteo.com/company/tiny-spec-inc
"id": "tin0344703102825",
"linkid": "tiny-spec-inc",
"type": "Vulnerability",
"date": "10/2025",
"severity": "50",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'industry': 'Enterprise Communication/SaaS',
'location': 'Global',
'name': 'Slack (by Salesforce)',
'size': 'Large',
'type': 'Technology Company'},
{'industry': 'Online Encyclopedia',
'location': 'Global',
'name': 'Wikipedia (Wikimedia Foundation)',
'size': 'Large',
'type': 'Non-Profit Organization'}],
'attack_vector': ['Phishing',
'Link Manipulation',
'Third-Party Platform Exploitation (Wikipedia/Slack '
'Integration)'],
'description': 'Cybersecurity researchers from eSentire discovered a '
'vulnerability in how Slack renders Wikipedia articles, '
'allowing attackers to trick users into opening malware-laden '
"websites by exploiting Slack's link-rendering behavior. The "
'flaw arises when a missing space between a full stop and the '
'next sentence causes Slack to misinterpret text as a domain '
"(e.g., 'face.book' becomes 'http://face.book'). Attackers can "
'edit Wikipedia articles to insert reference footnotes in '
'strategic locations, forcing Slack to generate a non-existent '
'link in its preview pane. This link can later be edited to '
'redirect victims to malicious sites. Over 1,000 Wikipedia '
'pages were found to be vulnerable. The attack requires the '
'victim to use Slack, the attacker to join their workspace '
'(potentially via a compromised account), and social '
'engineering to lure the victim into clicking the link. The '
'method also works on other platforms like Medium, but '
'Wikipedia was targeted due to its perceived authority.',
'impact': {'brand_reputation_impact': ["Potential erosion of trust in Slack's "
'security',
"Exploitation of Wikipedia's perceived "
'authority'],
'identity_theft_risk': 'High (if malware includes keyloggers or '
'info-stealers)',
'systems_affected': ['Slack Workspaces',
'User Endpoints (via Malware)']},
'initial_access_broker': {'entry_point': 'Compromised Slack account or social '
'engineering to join workspace',
'high_value_targets': ['Slack users with access to '
'sensitive data',
'Organizations relying on '
'Wikipedia as a trusted '
'source']},
'investigation_status': 'Disclosed by eSentire; no public updates on patching '
'or mitigation',
'lessons_learned': ['Trust in authoritative sources (e.g., Wikipedia) can be '
'weaponized in social engineering attacks.',
"Third-party platform integrations (e.g., Slack's link "
'preview) can introduce unintended attack vectors.',
'Attackers exploit human behavior (e.g., missing spaces '
'in text) to bypass technical controls.',
'Proactive monitoring of public platforms (e.g., '
'Wikipedia edits) is critical for early threat '
'detection.'],
'motivation': ['Malware Distribution',
'Credential Theft',
'Exploiting Trust in Authoritative Sources'],
'post_incident_analysis': {'root_causes': ["Slack's overly permissive "
'link-rendering logic',
'Lack of input validation for '
'Wikipedia reference footnotes in '
'external previews',
'Trust in platform integrations '
'without sufficient security '
'controls']},
'recommendations': ['Slack should update its link-rendering logic to validate '
'domains before generating previews.',
'Wikipedia should implement safeguards against malicious '
'reference footnote edits targeting external platforms.',
'Organizations should educate users on verifying links in '
'previews, even from trusted sources.',
'Enable stricter third-party app integration policies in '
'Slack to mitigate similar risks.',
'Use URL reputation services to block known malicious '
'domains in real-time.'],
'references': [{'source': 'TechRadar Pro'}, {'source': 'eSentire Research'}],
'response': {'third_party_assistance': ['eSentire (Research/Disclosure)']},
'title': 'Slack Wikipedia Link Rendering Glitch Enables Malware Distribution',
'type': ['Vulnerability Exploitation',
'Social Engineering',
'Malware Distribution'],
'vulnerability_exploited': "Slack's link-rendering logic flaw "
'(misinterpreting text as domains when missing '
'spaces after punctuation)'}