Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Slack Tokens Leaked on GitHub Put Companies at Risk

Many developers unknowingly expose sensitive data, including business-critical information, when they publish code containing their Slack access tokens on GitHub.

Many developers unknowingly expose sensitive data, including business-critical information, when they publish code containing their Slack access tokens on GitHub.

Slack, the popular cloud-based team collaboration tool, allows developers to create bots that help them automate certain tasks. For instance, there are project management bots, out-of-office bots, game bots, and even ones that remind users to exercise.

In many cases these bots are created as hobby projects and developers don’t realize that their code includes an authentication token for their Slack account. By sharing their projects publicly on GitHub, developers allow others to copy these tokens and use them to gain access to their chats and files.

A GitHub search conducted by security firm Detectify turned up more than 1,500 tokens that allow access to potentially sensitive information, including xoxp private tokens and xoxb custom bot tokens.

“These tokens belong to different users and companies; among them Forbes 500 companies, payment providers, multiple internet service providers and health care providers. Renowned advertising agencies that want to show what they are doing internally. University classes at some of the world’s best-known schools. Newspapers sharing their bots as part of stories. The list goes on and on,” Detectify said in a blog post.

According to researchers, the tokens they found on GitHub provided access to database credentials, logins for internal services, and private messages.

“Using the tokens it’s possible to eavesdrop on a company. Outsiders can easily gain access to internal chat conversations, shared files, direct messages and even passwords to other services if these have been shared on Slack.” experts warned.

After being notified by Detectify in late March, Slack revoked the exposed tokens and notified affected users and team owners. The company says it will be on the lookout for publicly posted tokens and will alert affected customers.

Researchers noted that it’s easy to create a token that provides full access, but it’s more difficult to create a limited token. When private tokens are created, Slack informs users that they should treat their token as a password. However, many of the users notified by Detectify indicated that they had not known about the risks associated with a leaked token.

This is not the first time sensitive data has been found on GitHub. Shortly after advanced search was introduced in 2013, experts warned that the feature made it easy to uncover passwords, encryption keys and other potentially sensitive information in source code.

One year later, researchers reported that attackers had been scraping GitHub for AWS credentials that they abused in Bitcoin mining operations.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

A new report finds that barely 1% of all SBOMs being generated today meets the “minimum elements” defined by the U.S. government.

Application Security

A security vulnerability identified on AliExpress, the wholesale marketplace owned by the Chinese e-commerce giant Alibaba, could have been exploited by hackers to hijack...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...