Source linked

Slack's video embed is an unchecked iframe, so someone built E2EE chat on top

v1c.rocks@systems_wire4 hours ago·Security·0 comments

Slack's video block accepts any accessible URL with no runtime validation, and the developer Vic turned that into a fully functional end-to-end encrypted messaging system using browser crypto and openpgpjs.

slackvideo embedbrowser cryptoopenpgpjsend to end encryptionsecurity research

Slack's video block doesn't check whether you're serving an actual video, an HTML page, or a full crypto client. It just iframes whatever URL returns a 2xx or 3xx.

Developer Vic noticed this while poking at Slack's Block Kit reference and realized there's no runtime validation beyond an accessibility ping. No domain whitelist, no MIME-type check. That hole became the foundation for a working end-to-end encrypted messaging system that lives entirely inside Slack's own UI.

How a video embed becomes a crypto client

Vic's app (gh:v1ctorio/e2ee-slack) works like this: inside your browser, using the native SubtleCrypto API, you generate a key pair. The private key is encrypted with your passphrase and sent to the server, but the server never gets the decrypted key. Every time you need to sign, encrypt, or decrypt, the server creates a unique slug, stores the required data in a KV store, and returns a video block with that slug as the URL.

When Slack loads that video embed, it runs the client code locally, pulls the encrypted private key from the slug context, and does all cryptographic operations in the browser. The server sees only encrypted ciphertext and signed envelopes forwarded to recipients. No plaintext keys, no messages in the clear.

The undocumented gotcha and the practical hack

Vic spent a decent chunk of time debugging why video blocks wouldn't appear in ephemeral messages. That behavior isn't documented anywhere. Workaround: use regular messages and rely on the Slack client's local rendering. Not ideal, but functional.

For the crypto heavy lifting, Vic started with raw SubtleCrypto but quickly switched to openpgpjs (maintained by Proton). The library handles key generation, signing, encryption, and decryption. The server stores almost no persistent data most of it lives in Slack's metadata fields, but encrypted message lengths exceeded those fields, so the slug system in a KV store took that load.

What this means for platform security

The whole thing is a hack. It bends Slack's design constraints, and Vic acknowledges that openly. But it raises a sharper question: if Slack's video embed is an unrestricted iframe, what else is possible? Discord has Activities, Telegram has Mini Apps. Major platforms already ship embedded web runtimes with very little sandboxing.

Vic's demo proves that a motivated developer can turn a chat platform into a general-purpose app host using nothing more than a misused embed endpoint. The source is on GitHub and self-hostable in about five minutes. Expect more people to start probing what their chat app's video blocks actually render.

Source: Show HN: Exploiting Slack's video embeds to achieve E2EE communication
Domain: v1c.rocks

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Security

view topic
Analyzing the XZ Backdoor: How a Multi-Year Social Engineering Attack Succeeded

A technical post-mortem of CVE-2024-3094 and its implications for open-source supply chain security.

Post-Quantum Cryptography: Transitioning to Kyber and Dilithium Standards

Preparing public-key infrastructures for the era of cryptographically relevant quantum computers.

Zero-Knowledge Proofs in Practice: Comparing zk-SNARKs and zk-STARKs

An architectural overview of arithmetic circuits, trusted setups, and prover overhead.

Hardware-Enforced Memory Safety: ARM Memory Tagging Extensions (MTE) in Production

How MTE detects use-after-free and buffer overflow bugs in production software with minimal overhead.

Comments load interactively on the live page.