This article was published on April 29, 2016

Your Slack login details are on GitHub


Your Slack login details are on GitHub

Since its release back in 2013, Slack has grown into one of the leading team messaging services, boasting 2.7 million active daily users.

Part of the app’s success has been its robust chatbot integration feature that makes it possible for developers to build custom bots, scrupulously tailored to the needs of your team.

Yet, despite being one of Slack’s most instrumental facets, its bot integration functionality might also be one of the app’s least secure features. Or at least, this is what security company Detectify cautions.

According to recent research from Detectify, a vulnerability in Slack bots might have exposed your team’s private messages, passwords and other database credentials.

The <3 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!

The report further clarifies that the security flaw stems from sloppy coding practices that chatbot developers often engage in.

“The problem is that many developers tend to include Slack tokens – credentials tied to their personal Slack account – directly in the code when building Slack bots.”

Forgetting to remove these tokens means that anybody who comes across the code – be it on GitHub or any other code-sharing service – can obtain access to bulks of sensitive information including internal chats, source code and any other files your team has shared on Slack.

What’s particularly troublesome is that once a hacker has breached your Slack account there’s no easy way to determine whether someone is snooping on your communication.

Researchers from Detectify say they “have already been able to find thousands of tokens by simply searching GitHub”, stressing that “new tokens are becoming publicly available every day.”

Slack tokens have a distinctive format that makes them easy to identify on GitHub. The tokens in question use a prefix with a hyphen that looks similar to the example below:

xoxp-XXXXXXXXX-XXXXXXXXXXXXXXXXXXX
xoxb-XXXXXXXXX-XXXXXXXXX-XXXXXXXXX-XXXXXX

The security company claims that so far their researchers have recovered over 1,500 such tokens from a number of small and big companies and institutions, including Forbes 500 companies and leading universities.

Neither Detectify, nor Slack has revealed any of the names of these companies publicly.

Detectify has already reported the vulnerability and Slack has since responded that it is working on eliminating the issue.

The messaging service has revoked the leaked tokens and has also notified affected users and teams directly. Slack has also assured that it will be proactively looking for token leakages in the future.

At present, there are over 40 bots available on Slack’s bot platform.

Developers, beware: better be careful when you share your team’s favorite custom bots.

Update April 29 16:05pm ET:

Slack has issued a statement advising developers to treat tokens with utmost caution. See the statement below:

“Slack is clear and specific that tokens should be treated just like passwords. We warn developers when they generate a token never to share it with other users or applications. Our customers’ security is of paramount importance to us, and we will continue to improve our documentation and communications to ensure that this message is urgently expressed.”

via Quartz

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with