Link vulnerability leads to phishing attacks

Hello Guys, Hope you are doing great. I'm sending this email to let you know about a vulnerability i stumbled upon while using slack (it's a great app!). While copy-pasting a link from a pdf to slack (desktop/web), i noticed that the resulting link(s) looked a bit messed up (1.png) Firing up burp and investigating this issue, it seems like the link parser is having problems with what in burp appears to be dash. Further analysis led to the following two characters causing this issue: %c2%ad When inserting the above (after url decoding it) between a link, it will actually split the link into two different clickable links (2.png) ​As you can see, this looks like a perfectly valid domain, however when hovering over it you can see that there are two clickable areas, one for http://abc, and one for 123.com. Follow these steps to reproduce: 1. Login to Slack using the Web, in a browser that goes through Burp intercepting proxy 2. Choose a colleague to send a direct message 3. Enter your link as message: http://google.com 4. Turn on Interception in Burp and hit enter to send the message. The intercepted message should appear in burp. 5. Between the letter 'g' and 'oogle.com', insert %c2%ad 6. Now select the insertion (%c2%ad), and right-click on it, select "convert selection->url->url decode" (3.png) ​7. After url decode, it should appear as a dash. Forward the request. 8 Back to slack, you can see that http://g is clickable, as well as oogle.com -end replication steps The attack scenario here would be someone registering oogle.com (or ogle.com or any part for that matter) and sending this to the victim. With a high probably, that victim will click the second area that sends you to oogle.com instead of the 'g'. Good chances to phish for passwords. Let me know if you have problems reproducing or need additional information. Regards, Shpend