Menu
Developers leak Slack access tokens on GitHub, putting sensitive business data at risk

Developers leak Slack access tokens on GitHub, putting sensitive business data at risk

Researchers found more than 1,500 Slack access tokens for bots and accounts in public GitHub projects

Developers from hundreds of companies have included access tokens for their Slack accounts in public projects on GitHub, putting their teams' internal chats and other data at risk.

Slack has become one of the most popular collaboration and internal communication tools used by companies because of its versatility. The platform's API allows users to develop bots that can receive commands or post content from external services directly in Slack channels, making it easy to automate various tasks.

Many developers post the code for their Slack bots -- some of which are small personal projects -- on GitHub, but fail to remove the bots' access tokens. Some developers even include private tokens associated with their own accounts in the code.

Such tokens can provide access to chats, files, private messages, and other sensitive data shared inside the Slack teams where those developers or bots are members.

Researchers from website security firm Detectify found more than 1,500 Slack tokens on GitHub, some of the tokens providing access to teams from payment providers, Internet service providers, schools, advertising agencies, newspapers and health care providers.

Using those tokens, the researchers gained access to Slack teams and found database credentials, sensitive private messages, files containing passwords, and logins to continuous integration platforms and internal services.

"We also concluded from the internal communication inside Slack teams that people tend to be really sloppy with passing credentials in general," the Detectify researchers said in a blog post.

This is not the first time sensitive access tokens were exposed in projects hosted on GitHub. In 2014, one researcher found almost 10,000 access keys for Amazon Web Services and Elastic Compute Cloud left by developers inside publicly accessible code on GitHub.

Other researchers found credentials for back-end databases and services hard-coded in thousands of mobile apps, which can be easily unpacked and inspected.

"Never commit credentials inside code, ever," the Detectify researchers said. "The first thing you should do is to create environment-variables inside a file and ignore that file from the code repository from [the] start."

Slack allows team owners to restrict the creation of apps and custom integrations to only select members, instead of all of them.

Subscribe here for up-to-date channel news

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Featured

Slideshows

Tight lines as Hooked on Lenovo catches up at Great Barrier Island

Tight lines as Hooked on Lenovo catches up at Great Barrier Island

​Ingram Micro’s Hooked on Lenovo incentive programme recently rewarded 28 of New Zealand's top performing resellers with a full-on fishing trip at Great Barrier Island for the third year​ in a row.

Tight lines as Hooked on Lenovo catches up at Great Barrier Island
Inside the AWS Summit in Sydney

Inside the AWS Summit in Sydney

As the dust settles on the 2017 AWS Summit in Sydney, ARN looks back an action packed two-day event, covering global keynote presentations, 80 breakout sessions on the latest technology solutions, and channel focused tracks involving local cloud stories and insights.

Inside the AWS Summit in Sydney
Channel tees off on the North Shore as Ingram Micro hosts annual Cure Kids Charity golf day

Channel tees off on the North Shore as Ingram Micro hosts annual Cure Kids Charity golf day

Ingram Micro hosted its third annual Cure Kids Charity Golf Tournament at the North Shore Golf Club in Auckland. In total, 131 resellers, vendors and Ingram Micro suppliers enjoyed a round of golf consisting of challenges on each of the 18 sponsored holes, with Team Philips taking out the top honours.

Channel tees off on the North Shore as Ingram Micro hosts annual Cure Kids Charity golf day
Show Comments