Connect with us

Hi, what are you looking for?


Application Security

Slack Tokens Leaked on GitHub Put Companies at Risk

Many developers unknowingly expose sensitive data, including business-critical information, when they publish code containing their Slack access tokens on GitHub.

Many developers unknowingly expose sensitive data, including business-critical information, when they publish code containing their Slack access tokens on GitHub.

Slack, the popular cloud-based team collaboration tool, allows developers to create bots that help them automate certain tasks. For instance, there are project management bots, out-of-office bots, game bots, and even ones that remind users to exercise.

In many cases these bots are created as hobby projects and developers don’t realize that their code includes an authentication token for their Slack account. By sharing their projects publicly on GitHub, developers allow others to copy these tokens and use them to gain access to their chats and files.

A GitHub search conducted by security firm Detectify turned up more than 1,500 tokens that allow access to potentially sensitive information, including xoxp private tokens and xoxb custom bot tokens.

“These tokens belong to different users and companies; among them Forbes 500 companies, payment providers, multiple internet service providers and health care providers. Renowned advertising agencies that want to show what they are doing internally. University classes at some of the world’s best-known schools. Newspapers sharing their bots as part of stories. The list goes on and on,” Detectify said in a blog post.

According to researchers, the tokens they found on GitHub provided access to database credentials, logins for internal services, and private messages.

“Using the tokens it’s possible to eavesdrop on a company. Outsiders can easily gain access to internal chat conversations, shared files, direct messages and even passwords to other services if these have been shared on Slack.” experts warned.

Advertisement. Scroll to continue reading.

After being notified by Detectify in late March, Slack revoked the exposed tokens and notified affected users and team owners. The company says it will be on the lookout for publicly posted tokens and will alert affected customers.

Researchers noted that it’s easy to create a token that provides full access, but it’s more difficult to create a limited token. When private tokens are created, Slack informs users that they should treat their token as a password. However, many of the users notified by Detectify indicated that they had not known about the risks associated with a leaked token.

This is not the first time sensitive data has been found on GitHub. Shortly after advanced search was introduced in 2013, experts warned that the feature made it easy to uncover passwords, encryption keys and other potentially sensitive information in source code.

One year later, researchers reported that attackers had been scraping GitHub for AWS credentials that they abused in Bitcoin mining operations.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.