Image: Slack
You use Slack to talk to your friends at work, understand where everyone stands on their tasks, use its integrations with certain tools, write bots to perform automations for you and maybe even organize your next lunch. But one of Slack’s strengths is the ability to also upgrade it with various plugins and hacks, which is exactly what Sharon Brizinov, a security researcher at the Israeli cyber company Claroty, did.
The ICQ nostalgia that will let you play on the notification sounds
Brizinov decided to do some research on the popular messaging app to get a little more out of it. “Personally, I use Slack a lot and I also had the chance to write several bots, including a bot to open the office door in Claroty and give up physical tags,” says Brizinov in a conversation with Gigtime. But it doesn’t stop there.
If you use Slack, you’ve probably thought at least once, “Surely there is a better sound for the app’s notifications.” There is a pool of sounds, one of which is – and this is an old Easter egg – the word “hummus”, but this pool is closed and quite limited. So Brizinov decided to find a way to add more interesting sounds to it. He says that he came up with the idea out of nostalgia for a more beautiful time, one where your messaging app screamed at you “O O”, “I started after out of nostalgia for ICQ I tried to change the sounds in Slack and saw that it was possible to change a note effect sound only from a closed list. I thought it wouldn’t be a simple story to change a static file on the disk from one sound and replace it with another, but it didn’t work. Out of curiosity, I started researching and diving in to understand how Slack works and where it loads the assets, including sounds.’
He says that finally, after several attempts, he realized that Slack includes a sophisticated cache mechanism that allows the application, on the one hand, to load the sounds offline relatively quickly, but on the other hand, allows the same sounds to be easily updated and replaced. The final product he arrived at is a short script in Python that knows how to edit and build such cache files, through which he updated the sounds he wanted to add to the application. And that’s how Brizinov’s first Mod for Slack was created.
Won’t you ignore any messages from him?
After the first mod, Brizinov decided to continue diving down Slack’s rabbit hole. “In the past, I saw mods for the Whatsapp and Signal client that allow preventing the deletion of a message on the client side and I thought why not implement the same thing in Slack. So I continued with the previous research and concentrated on the loading flow of the JS code,” he says. According to him, he quickly understood how the cache mechanism for code files works and wrote a script similar to the previous one, which knows how to edit the Slack runtime code so that the client ignores the server’s delete_message messages – that is, if someone deletes a message, the hacked client will receive a request from the server to delete a message with a certain ID, but the client will simply ignore this request and still leave the message. In addition, the user will receive a notification that the other party tried to delete the message.
Thousands of users for two modes
Brizinov tells us that in his estimation so far thousands of people have already used the mods he wrote: “I received a lot of questions and people also joined and improved the code, partly to adapt it to other operating systems.” He emphasizes that he has no information about the actions that users do with the mods he created. The next step, according to him, is a third mod that will allow him to independently set up end-to-end encryption of the messages he sends and receives: “When I send a message, my client will automatically encrypt the message and send an encrypted message to Slack’s servers even though I supposedly see a normal message in the message window. When receiving on the other side, the client will receive an encrypted message but will automatically decode it locally and display the original message. In this way, the communication outside the machine will always be encrypted, but it will be transparent to users who will see plain text messages because the treated clients will automatically manage the encryption and decryption transparently to the users.’
The man with whom you renew passports
Well-wishers may remember Brizinov, who found a way to bypass the restrictions on the bot for making appointments for passport renewal, and was one of the most popular tools until a few months ago. Brizinov found a way to bypass the captcha mechanism activated by the CallFlow company behind the appointment application of the Ministry of the Interior – MyVisit.