Menu
Developers leak Slack access tokens on GitHub, putting sensitive business data at risk

Developers leak Slack access tokens on GitHub, putting sensitive business data at risk

Researchers found more than 1,500 Slack access tokens for bots and accounts in public GitHub projects

Developers from hundreds of companies have included access tokens for their Slack accounts in public projects on GitHub, putting their teams' internal chats and other data at risk.

Slack has become one of the most popular collaboration and internal communication tools used by companies because of its versatility. The platform's API allows users to develop bots that can receive commands or post content from external services directly in Slack channels, making it easy to automate various tasks.

Many developers post the code for their Slack bots -- some of which are small personal projects -- on GitHub, but fail to remove the bots' access tokens. Some developers even include private tokens associated with their own accounts in the code.

Such tokens can provide access to chats, files, private messages, and other sensitive data shared inside the Slack teams where those developers or bots are members.

Researchers from website security firm Detectify found more than 1,500 Slack tokens on GitHub, some of the tokens providing access to teams from payment providers, Internet service providers, schools, advertising agencies, newspapers and health care providers.

Using those tokens, the researchers gained access to Slack teams and found database credentials, sensitive private messages, files containing passwords, and logins to continuous integration platforms and internal services.

"We also concluded from the internal communication inside Slack teams that people tend to be really sloppy with passing credentials in general," the Detectify researchers said in a blog post.

This is not the first time sensitive access tokens were exposed in projects hosted on GitHub. In 2014, one researcher found almost 10,000 access keys for Amazon Web Services and Elastic Compute Cloud left by developers inside publicly accessible code on GitHub.

Other researchers found credentials for back-end databases and services hard-coded in thousands of mobile apps, which can be easily unpacked and inspected.

"Never commit credentials inside code, ever," the Detectify researchers said. "The first thing you should do is to create environment-variables inside a file and ignore that file from the code repository from [the] start."

Slack allows team owners to restrict the creation of apps and custom integrations to only select members, instead of all of them.


Follow Us

Join the newsletter!

Or
Error: Please check your email address.

Featured

Slideshows

Bumper channel crowd kicks off first After Hours of 2018

Bumper channel crowd kicks off first After Hours of 2018

After Hours made a welcome return to the channel social calendar with a bumper crowd of partners, distributors and vendors descending on The Jefferson in Auckland to kick-start 2018. Photos by Gino Demeer.

Bumper channel crowd kicks off first After Hours of 2018
Looking back at the top 15 M&A deals in NZ during 2017

Looking back at the top 15 M&A deals in NZ during 2017

In 2017, merger and acquisitions fever reached new heights in New Zealand, with a host of big name deals dominating the headlines. Reseller News recaps the most important transactions of the Kiwi channel during the past 12 months.

Looking back at the top 15 M&A deals in NZ during 2017
Kiwi channel closes 2017 with After Hours

Kiwi channel closes 2017 with After Hours

The channel in New Zealand came together to celebrate the close of 2017, as the final After Hours played out in front of a bumper Auckland crowd.

Kiwi channel closes 2017 with After Hours
Show Comments