October 3, 2022
A recently discovered vulnerability in the Figma integration in Slack potentially leaks information contained in Figma files to unauthorized users in the preview thumbnail. This vulnerability has been reported to Figma for them to manage. We are reporting our findings in accordance with the principles of responsible disclosure.
One of the greatest benefits of collaboration tools are the integrations between different tools and the ease with which projects can be shared on different platforms. However, this benefit can also add risk to organizations.
Figma is a collaboration tool that enables users to work together on design files over the internet. And as is common with many collaboration tools, Figma offers users the ability to share a project directly with other users through Slack. Figma has approximately 4 million users, many of whom are in big tech companies such as Slack, Dropbox, Twitter, Microsoft, and more, and was recently purchased by Adobe for $20bn.
At Reco, we specialize in collaboration security, ensuring that users can collaborate securely across a wide range of tools. As part of our work, we actively search for the kinds of vulnerabilities that exist in these tools to enable our solution to address them. As part of this mission, Reco Data Analyst, Tamar Yovell uncovered an information discovery vulnerability in the Figma preview screen on Slack.
The vulnerability: When a sender sends a link for a Figma file that they have access to in a Slack workspace with the Figma app installed, a low-resolution thumbnail of the file is sent and visible in the Slack chat, even if the other members of the channel should not have access to the file. This will include any external members of the chat or channel.
Image 1: The ability to send previews in messages is explicitly mentioned in the configuration notes for Figma and FigJam.
The potential impact: The thumbnail contains a true replication of the information contained in the file. This image may disclose sensitive information contained in the file to unauthorized users.
Furthermore, the default setting for a new Figma file is “anyone from the organization can edit”. If these settings are unchanged, anyone in the organization could potentially expose the preview to unauthorized users, leading to a high probability of exposure of potentially sensitive information.
Steps to replicate the vulnerability:
1. Create a new Figma team (if you have an existing team, you can use that) (images 2 & 3 below)
Image 2: Create a team
Image 3: Add collaborators
2. Create a new project, and set the permissions to invite only (image 4)
3. Create a new file. Add some content and a title (Image 5)
4. Click the Share button in the top bar (verify that only people invited to this file can view it) (image 6)
5. Click Copy link
6. Send the copied link through Slack to a user who has not been invited to file, and who does not have access to the project. Slack can access the Figma file, and will generate a preview thumbnail (image 7)
This vulnerability enters Slack through the integration between Figma and Slack. Reco’s collaboration security tool contextualizes and secures data assets within Slack by understanding context through the metadata without reading the content of messages.
Specifically, Reco analyzes the context of the file and the context of the Slack chat to understand whether the action of sending the link to an unauthorized user is justified (and Reco Doesn’t read the content of either the message or the link). If not, Reco will alert the organization of a potential information leak, in real time, enabling the security team or data owner to fix the problem.
Slack + Reco = secure collaboration.
Given the potential for information disclosure as a result of this vulnerability, we have been in touch with Figma. However, we are still concerned that their response does not take this seriously.
The design behavior whereby the entire thumbnail is visible to the entire chat or channel leads to a collaboration security problem as anyone across an entire organization may have access to a Figma file that they should not access. This design flaw is in contrast to other previews in Slack, for example, Google Docs, which does not expose sensitive information when shared in a Slack chat.
A member of Figma’s team (Rami McCarthy) told us through the HackerOne platform that “A user who shared the file via Slack is, by design, sharing the thumbnail with the relevant Slack audience.” suggesting that from Figma’s perspective this design behavior is legitimate as it makes it easier for collaboration to take place.
However, it also demonstrates a lack of understanding of collaboration security as a whole. Figma (and potentially other vendors too) appear to underestimate the risks collaboration tools and their integrations can pose for information security, and assume that users still work within small discrete units where every member of a Slack channel is an authorized user. This is particularly risky for public channels which can be more widely accessed by external users.
At Reco, collaboration security is our mission. Our platform is designed to ensure that users of collaboration tools can carry out their work with whoever they need to work with (both internally and externally) without inadvertently creating a security breach, particularly those that might arise from a design flaw in their tools.