Show HN: Exploiting Slack's video embeds to achieve E2EE communication
A developer ingeniously leverages Slack's video embed feature, which lacks content type validation, to create a proof-of-concept for end-to-end encrypted communication directly within the platform. This technical hack demonstrates how unexpected platform loopholes can be exploited for enhanced privacy, sparking interest in creative solutions and broader discussions about in-app extensibility.
The Lowdown
This article details a clever exploitation of Slack's video block feature to enable end-to-end encrypted (E2EE) communication. The author discovered that Slack's video_url parameter for video blocks performs no runtime content validation beyond checking for an accessible URL, effectively allowing arbitrary iframes to be embedded.
- The core idea involves an app that uses in-browser cryptographic APIs, running within these embedded iframes, to manage key pairs and perform encryption/decryption client-side.
- This architecture ensures that private keys are never exposed to the server in an unencrypted state.
- The implementation utilizes TypeScript and the
openpgpjslibrary for robust cryptographic operations, along with a key-value store to manage 'slugs' that hold necessary action data for client-side processing. - The workflow involves a user initiating a command, a Slack modal for recipient selection, a unique slug generation, and then loading a client within the video block to handle local key decryption, message encryption, and digital signing before transmitting only the encrypted message.
- A notable challenge encountered was the undocumented limitation of video blocks not being supported within ephemeral messages.
Ultimately, this project serves as a "hack" that circumvents some of Slack's design constraints, prompting a discussion on the potential benefits if major platforms like Slack were to officially support more flexible, fully-featured in-client applications, akin to Discord's 'Activities' or Telegram's 'Mini Apps'.