--- title: "Protect Slack Cookies from Infostealers | Security Cookbook" description: "Stop infostealers from harvesting Slack session cookies on macOS using Workshop file access rules that limit reads to Slack itself and Spotlight." doc_version: "1" last_updated: "2026-05-22" canonical: "https://northpole.security/cookbook/protect-slack-cookies" --- [Back](https://northpole.security/cookbook) ### Idea Slack is built with Electron (Chromium + Node.js), and like other Electron apps, stores session cookies in predictable locations. These cookies provide authenticated access to Slack workspaces, making them high-value targets for infostealers. This rule prevents reads of Slack cookies except by Slack itself and the Spotlight indexing process. By restricting access to only the legitimate processes that need these files, you can prevent credential theft even if malware gets onto the system. The utility of this protection was highlighted by SpecterOps in their talk "Modern macOS Red Teaming Tactics" where they demonstrated how Slack cookies can be exfiltrated and used to access corporate Slack workspaces. ### Solutions File AccessProtect Slack Cookies Restrict Slack cookie access to Slack and system processes only Path Prefixes - • /Users/\*/Library/Application Support/Slack/Cookies - • /Users/\*/Library/Application Support/Slack/StaleCookies - • /Users/\*/Library/Containers/com.tinyspeck.slackmacgap/Data/Library/Application Support/Slack/Cookies - • /Users/\*/Library/Containers/com.tinyspeck.slackmacgap/Data/Library/Application Support/Slack/StaleCookies Options Allow Read Access:false Audit Only:false Rule Type:PathsWithAllowedProcesses Processes - • Signing ID:BQR82RBBHL:com.tinyspeck.slackmacgap - • Signing ID:BQR82RBBHL:com.tinyspeck.slackmacgap.helper - • Signing ID:platform:com.apple.mdworker\_shared Custom Message Slack cookies can only be accessed by Slack ### Mitre Attack Tactics [Credential Access](https://attack.mitre.org/tactics/TA0006/) Techniques [T1539: Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539/)[T1552.001: Credentials In Files](https://attack.mitre.org/techniques/T1552/001/) ### Tags slackcookieselectroninfostealersession-hijacking ### Deployment Notes This rule covers both the standard Slack app installation and the sandboxed Mac App Store version. It protects both active cookies (Cookies) and stale cookies (StaleCookies) that may still contain valid session tokens. Slack cookies provide authenticated access to all Slack workspaces the user is signed into, making them extremely valuable for attackers. This rule is similar to the Chrome cookie protection from Day 6 of the advent calendar, as Slack is built on the same Electron/Chromium technology. ### False Positive Guidance Only Slack and Spotlight should legitimately access these cookie files. If you have legitimate automation or monitoring tools that need to read Slack cookies, add their signing IDs to the allowlist. Note that some backup software may need access - consider exempting backup processes if needed. ### Resources [SpecterOps: Modern macOS Red Teaming TacticsTake a look](https://www.youtube.com/watch?v=t_L2bdbXkp0&t=2863s)[Santa FAA Cookbook - Slack CookiesTake a look](https://northpole.dev/cookbook/faa/#slack-cookies) ### Related Rules [ Credential ProtectionFile Access #### Protect Browser Cookies from Infostealers Restrict Chrome and Firefox cookie databases to the browser itself, blocking infostealers like Atomic Stealer from hijacking sessions. ](https://northpole.security/cookbook/protect-browser-cookies) ## Sitemap - [Home](https://northpole.security/index.md) - [Workshop](https://northpole.security/workshop.md) - [Santa](https://northpole.security/santa.md) - [Features](https://northpole.security/features.md) - [Cookbook](https://northpole.security/cookbook.md) - [Docs](https://northpole.security/docs.md) - [Blog](https://northpole.security/blog.md) - [Glossary](https://northpole.security/glossary.md) - [About](https://northpole.security/about.md) - [Contact](https://northpole.security/contact.md)