Intigriti - Hack Hub
  • Misconfig Mapper Docs
    • Introduction
    • Supported Services
    • CLI Tool
    • Contributing
  • Services
    • GraphQL
      • GraphQL Introspection Query Enabled
    • Symfony PHP
      • Symfony Profiler Enabled
    • Postman API Platform
      • Public Workspaces
    • Salesforce
      • Salesforce Lightning Aura Components Enabled
    • Trello
      • View Permissions on Trello Boards
    • Figma
      • View access misconfiguration
    • Freshworks Freshservice
      • Open User Registration
    • Slack
      • No Admin Approval for Invitations
    • Atlassian Bitbucket
      • Publicly Accessible Private Repositories
    • Atlassian Confluence
      • Anonymous access to Remote API
      • Disabled XSRF Protection
      • User Email Visibility
      • Misconfigured Spaces
    • Atlassian Jira
      • Open User Registration
      • Atlassian Jira Email Visibility
      • Atlassian Jira Service Desk Open Signups
    • AWS S3
      • Misconfigured List Permissions
    • Cloudflare R2
      • R2.DEV Enabled
    • Google Groups
      • Misconfigured read permissions
    • Google Docs
      • Misconfigured read permissions
    • Google Cloud Storage Bucket
      • Misconfigured access controls
    • Google OAuth
      • Unrestricted email domains
    • Jenkins
      • Open Signups
      • Public Groovy Script Console
    • GitLab
      • Gitlab Private Source Code Snippets Exposed
    • Drupal
      • Drupal Nodes with Misconfigured Access Controls
    • Laravel
      • Debug Mode Enabled
      • Laravel Telescope Enabled In Production
Powered by GitBook
On this page

Was this helpful?

Edit on GitHub
  1. Services
  2. Slack

No Admin Approval for Invitations

PreviousSlackNextAtlassian Bitbucket

Last updated 1 year ago

Was this helpful?

Description:

Slack is a popular instant-messaging platform mainly used by companies for work-related communications between team members. It can also pose as a unintentional potential security threat to companies if access is not monitored and internal-only data is shared among members in Slack. By default anyone can send invitations to invite new members. It is a best practice to only allow administrators to send and accept invitations.

Testing:

To check if you have permissions to invite a new member:

  1. Sign in to your Slack Workspace

  2. Open any channel

  3. Click on Add people

  4. A popup will open up, enter the user's email address

  5. Finally, click Add

These reproduction steps prove that you're able to invite new members without approval from an administrator.

Remediation:

It is a best practice to allow only workspace administrators to invite new members. To do so:

  1. Sign in as the workspace administrator

  2. Next, navigate to /admin/settings on your Slack workspace (or click on your workspace name, hover over Tools & Settings and click on Workspace Settings)

  3. Open Permissions

  4. Expand Invitations

  5. Check the Require admin approval box, additionally, select the channel to receive requests in.

  6. Finally click Save to save your changes

Potential Impact:

As team members often share internal company data between each other, Slack can become a potential target or attack vector to your organization. Other members can unintentionally invite unauthorized users and provide them internal access.

References:

https://slack.com/help/articles/115004854783-Require-admin-approval-for-workspace-invitations
https://slack.com/intl/en-in/help/articles/115004155306-Security-tips-to-protect-your-workspace