Search Icon
Register

Hazard Integrated: Understanding Security Risks in App Extensions to Team Chat Systems

Mingming Zha (Indiana University Bloomington), Jice Wang (National Computer Network Intrusion Protection Center, University of Chinese Academy of Sciences), Yuhong Nan (Sun Yat-sen University), Xiaofeng Wang (Indiana Unversity Bloomington), Yuqing Zhang (National Computer Network Intrusion Protection Center, University of Chinese Academy of Sciences), Zelin Yang (National Computer Network Intrusion Protection Center, University of Chinese Academy…

Team Chat (textit{TACT}) systems are now widely used for online collaborations and project management. A unique feature of these systems is their integration of third-party apps, which extends their capabilities but also brings in the complexity that could potentially put the TACT system and its end-users at risk.

In this paper, for the first time, we demonstrate that third-party apps in TACT systems indeed open the door to new security risks, such as privilege escalation, deception, and privacy leakage. We studied 12 popular TACT systems, following the key steps of a third-party app's life cycle (its installation, update, configuration, and runtime operations). Notably, we designed and implemented a pipeline for efficiently identifying the security risks of TA APIs, a core feature provided for system-app communication.

Our study leads to the discovery of 55 security issues across the 12 platforms, with 25 in the install and configuration stages and 30 vulnerable (or risky) APIs. These security weaknesses are mostly introduced by improper design, lack of fine-grained access control, and ambiguous data-access policies. We reported our findings to all related parties, and 8 have been acknowledged. Although we are still working with the TACT vendors to determine the security impacts of the remaining flaws, their significance has already been confirmed by our user study, which further reveals users' concerns about some security policies implemented on mainstream TACT platforms and their misconceptions about the protection in place. Also, our communication with the vendors indicates that their threat models have not been well-thought-out, with some assumptions conflicting with each other. We further provide suggestions to enhance the security quality of today's TACT systems.

Paper
Video

View More Papers

The Taming of the Stack: Isolating Stack Data from...

Kaiming Huang (Penn State University), Yongzhe Huang (Penn State University), Mathias Payer (EPFL), Zhiyun Qian (UC Riverside), Jack Sampson (Penn State University), Gang Tan (Penn State University), Trent Jaeger (Penn State University)

Read More

HeadStart: Efficiently Verifiable and Low-Latency Participatory Randomness Generation at...

Hsun Lee (National Taiwan University), Yuming Hsu (National Taiwan University), Jing-Jie Wang (National Taiwan University), Hao Cheng Yang (National Taiwan University), Yu-Heng Chen (National Taiwan University), Yih-Chun Hu (University of Illinois at Urbana-Champaign), Hsu-Chun Hsiao (National Taiwan University)

Read More

Euler: Detecting Network Lateral Movement via Scalable Temporal Graph...

Isaiah J. King (The George Washington University), H. Howie Huang (The George Washington University)

Read More

SynthCT: Towards Portable Constant-Time Code

Sushant Dinesh (University of Illinois at Urbana Champaign), Grant Garrett-Grossman (University of Illinois at Urbana Champaign), Christopher W. Fletcher (University of Illinois at Urbana Champaign)

Read More