Prompt InjectionHigh

Slack AI Tricked Into Leaking Private Channel Data via Indirect Prompt Injection

Slack (Salesforce)

What Happened

PromptArmor showed that Slack AI would retrieve content from public channels the querying user had never joined, letting an attacker plant hidden instructions in a public message. When a victim later asked Slack AI about their own private data, such as an API key stored in a private channel, the assistant followed the attacker's poisoned instruction and rendered the secret inside a deceptive clickable link that exfiltrated it. A follow-up finding extended the attack surface to malicious content hidden inside uploaded documents.

Impact

An attacker with a low-privilege account in the same workspace could siphon secrets and confidential data from private channels they had no access to. Slack investigated and deployed a patch after the disclosure.

How to Prevent This

  • Restrict AI retrieval scope to channels and documents the requesting user is actually authorized to read
  • Disallow rendering of arbitrary user-controlled hyperlinks and image URLs in assistant responses
  • Isolate untrusted ingested content from instruction-following context so retrieved text cannot alter behavior
  • Log and alert on AI responses that embed secrets or outbound links to external domains
  • Continuously test the assistant with adversarial public-channel and document payloads

Don't Let Your Company Be the Next Case Study

Take our 2-minute quiz to identify your AI risks before they become failures.

Assess Your AI Risks Now →

Most teams can't — find out in 2 minutes

Real AI failures analyzed • Free 2-minute assessment