Hazard Integrated: Understanding Security Risks in App Extensions to Team Chat Systems

Introduction

Team Chat (TACT) systems are now widely used for online collaborations and project management. A unique feature of these systems is their integration of third-party apps, which extends their capabilities but also brings in the complexity that could potentially put the TACT system and its end-users at risk.


In this paper, for the first time, we demonstrate that third-party apps in TACT systems indeed open the door to new security risks, such as privilege escalation, deception, and privacy leakage. We studied 12 popular TACT systems, following the key steps of a third-party app's life cycle (its installation, update, configuration, and runtime operations). Notably, we designed and implemented a pipeline for efficiently identifying the security risks of TA APIs, a core feature provided for system-app communication.


Our study leads to the discovery of 54 security issues across the 12 platforms, with 25 in the install and configuration stages and 29 vulnerable (or risky) APIs. These security weaknesses are mostly introduced by improper design, lack of fine-grained access control, and ambiguous data-access policies. We reported our findings to all related parties, and 8 have been acknowledged. Although we are still working with the TACT vendors to determine the security impacts of the remaining flaws, their significance has already been confirmed by our user study, which further reveals users' concerns about some security policies implemented on mainstream TACT platforms and their misconceptions about the protection in place. Also, our communication with the vendors indicates that their threat models have not been well-thought-out, with some assumptions conflicting with each other. We further provide suggestions to enhance the security quality of today's TACT systems.