Anthropic Slack Model Context Protocol Server Data Exfiltration Vulnerability

A data exfiltration vulnerability has been identified in Anthropic's deprecated Slack Model Context Protocol (MCP) Server. This issue arises from automatic link unfurling, which allows an AI agent using the Slack MCP Server to process untrusted data and generate messages with attacker-crafted hyperlinks. These hyperlinks can embed sensitive information, which is then accessed by Slack's link preview bots, such as Slack-LinkExpanding, Slackbot, and Slack-ImgProxy. This results in zero-click exfiltration of private data.

Impact

Exploitation of this vulnerability leads to unauthorized data leakage from the user's environment to an external server controlled by the attacker. This could include sensitive information such as private messages or confidential data from documents, depending on what the AI agent processes and accesses.

Reproduction

The vulnerability can be reproduced by using an AI agent that posts to Slack and has access to private data. When the agent processes untrusted data, such as documents or web pages, it can be manipulated to include hyperlinks that, once unfurled by Slack, trigger requests to an attacker-controlled URL. These requests can carry sensitive information, such as API keys or other private data, extracted from the user's environment.

Remediation

Users can disable link unfurling in the Slack MCP Server by adding specific parameters to the 'post' and 'reply' message functions. This change prevents Slack from automatically expanding links and media, which is where the data leakage occurs. After applying this adjustment, the unfurling feature can be tested to ensure it has been successfully disabled.