Menu
Developers leak Slack access tokens on GitHub, putting sensitive business data at risk

Developers leak Slack access tokens on GitHub, putting sensitive business data at risk

Researchers found more than 1,500 Slack access tokens for bots and accounts in public GitHub projects

Developers from hundreds of companies have included access tokens for their Slack accounts in public projects on GitHub, putting their teams' internal chats and other data at risk.

Slack has become one of the most popular collaboration and internal communication tools used by companies because of its versatility. The platform's API allows users to develop bots that can receive commands or post content from external services directly in Slack channels, making it easy to automate various tasks.

Many developers post the code for their Slack bots -- some of which are small personal projects -- on GitHub, but fail to remove the bots' access tokens. Some developers even include private tokens associated with their own accounts in the code.

Such tokens can provide access to chats, files, private messages, and other sensitive data shared inside the Slack teams where those developers or bots are members.

Researchers from website security firm Detectify found more than 1,500 Slack tokens on GitHub, some of the tokens providing access to teams from payment providers, Internet service providers, schools, advertising agencies, newspapers and health care providers.

Using those tokens, the researchers gained access to Slack teams and found database credentials, sensitive private messages, files containing passwords, and logins to continuous integration platforms and internal services.

"We also concluded from the internal communication inside Slack teams that people tend to be really sloppy with passing credentials in general," the Detectify researchers said in a blog post.

This is not the first time sensitive access tokens were exposed in projects hosted on GitHub. In 2014, one researcher found almost 10,000 access keys for Amazon Web Services and Elastic Compute Cloud left by developers inside publicly accessible code on GitHub.

Other researchers found credentials for back-end databases and services hard-coded in thousands of mobile apps, which can be easily unpacked and inspected.

"Never commit credentials inside code, ever," the Detectify researchers said. "The first thing you should do is to create environment-variables inside a file and ignore that file from the code repository from [the] start."

Slack allows team owners to restrict the creation of apps and custom integrations to only select members, instead of all of them.

Subscribe here for up-to-date channel news

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Featured

Slideshows

StorageCraft celebrates high achievers at its inaugural A/NZ Partner Awards

StorageCraft celebrates high achievers at its inaugural A/NZ Partner Awards

Revealed at a glitzy bash in Sydney at the Ivy Penthouse, the first StorageCraft Partner Awards locally saw the vendor honour its top-performing partners with ASI Solutions, SMBiT Pro, Webroot, ACA Pacific and Soft Solutions New Zealand taking home the top awards. Photos by Maria Stefina.

StorageCraft celebrates high achievers at its inaugural A/NZ Partner Awards
Kiwi resellers make a splash on Synnex and Lenovo RotoVegas road trip

Kiwi resellers make a splash on Synnex and Lenovo RotoVegas road trip

​Synnex and Lenovo hosted 18 resellers for an action-packed weekend adventure in RotoVegas, taking in white water rafting on the Kaituna River, as well as quad biking and dinner at Stratosfare​, overlooking Lake Rotorua at the top of Mount Ngongotaha​. Photos by Synnex.

Kiwi resellers make a splash on Synnex and Lenovo RotoVegas road trip
Show Comments