Slack Tightens API Credential Weakness
Monday, May 2, 2016 @ 03:05 PM gHale
Slack allows users to create private or public chat rooms, on demand, to use for personal purposes or for their businesses.
And the new technology is continuing to grow throughout quite a few different industries. But the problem is, oftentimes developers from companies are forgetting to remove sensitive API access tokens from Slack bots uploaded on GitHub, researchers said.
Researchers from Detectify Labs said they found over 1,500 Slack access tokens while scanning GitHub projects. Most of these tokens were in in Slack bots, small apps that allow developers to automate various operations inside Slack channels.
Slack chat rooms have become the de-facto method of communication in companies, providing a serious competition for XMPP-based chat clients.
According to Detectify researchers, companies may be at risk because developers leave sensitive credentials inside open-sourced code.
The same API access tokens that grant bots access to the organization’s Slack channel, and inherent resources, can also give an attacker access to those items as well.
A malicious actor could use a Slack API access token found on GitHub to download a Slack channel’s chat history and search for sensitive information like FTP credentials, internal URLs, or other types of passwords.
Researchers said the access tokens they found belonged to Forbes 500 companies, payment providers, multiple Internet service providers and health care providers.
According to Slack’s official documentation, the access tokens would have allowed attackers to access APIs for harvesting user data, Slack channel conversations and files, group information, private messages, and automate the use of Slack’s search feature.
Detectify notified Slack of all the 1,500 API access tokens it discovered, and the company moved to have them all revoked while also informing all customers of the issue.
“GitHub is full of sensitive data,” researchers concluded. “Slack just made it really simple to search for their tokens due to how they are formed. We hope that this advisory might help people realize how big impact getting these tokens exposed really is.”