Menu
Developers leak Slack access tokens on GitHub, putting sensitive business data at risk

Developers leak Slack access tokens on GitHub, putting sensitive business data at risk

Researchers found more than 1,500 Slack access tokens for bots and accounts in public GitHub projects

Developers from hundreds of companies have included access tokens for their Slack accounts in public projects on GitHub, putting their teams' internal chats and other data at risk.

Slack has become one of the most popular collaboration and internal communication tools used by companies because of its versatility. The platform's API allows users to develop bots that can receive commands or post content from external services directly in Slack channels, making it easy to automate various tasks.

Many developers post the code for their Slack bots -- some of which are small personal projects -- on GitHub, but fail to remove the bots' access tokens. Some developers even include private tokens associated with their own accounts in the code.

Such tokens can provide access to chats, files, private messages, and other sensitive data shared inside the Slack teams where those developers or bots are members.

Researchers from website security firm Detectify found more than 1,500 Slack tokens on GitHub, some of the tokens providing access to teams from payment providers, Internet service providers, schools, advertising agencies, newspapers and health care providers.

Using those tokens, the researchers gained access to Slack teams and found database credentials, sensitive private messages, files containing passwords, and logins to continuous integration platforms and internal services.

"We also concluded from the internal communication inside Slack teams that people tend to be really sloppy with passing credentials in general," the Detectify researchers said in a blog post.

This is not the first time sensitive access tokens were exposed in projects hosted on GitHub. In 2014, one researcher found almost 10,000 access keys for Amazon Web Services and Elastic Compute Cloud left by developers inside publicly accessible code on GitHub.

Other researchers found credentials for back-end databases and services hard-coded in thousands of mobile apps, which can be easily unpacked and inspected.

"Never commit credentials inside code, ever," the Detectify researchers said. "The first thing you should do is to create environment-variables inside a file and ignore that file from the code repository from [the] start."

Slack allows team owners to restrict the creation of apps and custom integrations to only select members, instead of all of them.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Brand Post

What to expect from your IT Distributor

Whether you’re just starting out or you’ve been around since before the dot com rollercoaster, choosing the right distribution partner can be a pivotal factor in your success. This definitive guide outlines the traits that every IT partner needs to look for in their IT Distributor.

Featured

Slideshows

Channel gathers to celebrate the Reseller News Innovation Awards 2020 winners

Channel gathers to celebrate the Reseller News Innovation Awards 2020 winners

More than 500 channel leaders gathered in Auckland on 21 October at the ​Reseller News Innovation Awards ​2020 to celebrate the achievements of the New Zealand technology industry's top partners, start-ups, vendors, distributors and individuals.

Channel gathers to celebrate the Reseller News Innovation Awards 2020 winners
Meet the winners of the 2020 Reseller News Innovation Awards

Meet the winners of the 2020 Reseller News Innovation Awards

Reseller News honoured the standout players of the New Zealand channel in front of more than 500 technology leaders in Auckland on 21 October, recognising the achievements of top partners, start-ups, vendors, distributors and individuals.

Meet the winners of the 2020 Reseller News Innovation Awards
Meet the Reseller News 30 Under 30 Tech Awards 2020 winners

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners

This year’s Reseller News 30 Under 30 Tech Awards were held as an integral part of the first entirely virtual Emerging Leaders​ forum, an annual event dedicated to identifying, educating and showcasing the New Zealand technology market’s rising stars. The 30 Under 30 Tech Awards 2020 recognised the outstanding achievements and business excellence of 30 talented individuals​, across both young leaders and those just starting out. In this slideshow, Reseller News honours this year's winners and captures their thoughts about how their ideas of leadership have changed over time.​

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners
Show Comments