Many developers unknowingly expose sensitive data, including business-critical information, when they publish code containing their Slack access tokens on GitHub.
Slack, the popular cloud-based team collaboration tool, allows developers to create bots that help them automate certain tasks. For instance, there are project management bots, out-of-office bots, game bots, and even ones that remind users to exercise.
In many cases these bots are created as hobby projects and developers don’t realize that their code includes an authentication token for their Slack account. By sharing their projects publicly on GitHub, developers allow others to copy these tokens and use them to gain access to their chats and files.
A GitHub search conducted by security firm Detectify turned up more than 1,500 tokens that allow access to potentially sensitive information, including xoxp private tokens and xoxb custom bot tokens.
“These tokens belong to different users and companies; among them Forbes 500 companies, payment providers, multiple internet service providers and health care providers. Renowned advertising agencies that want to show what they are doing internally. University classes at some of the world’s best-known schools. Newspapers sharing their bots as part of stories. The list goes on and on,” Detectify said in a blog post.
According to researchers, the tokens they found on GitHub provided access to database credentials, logins for internal services, and private messages.
“Using the tokens it’s possible to eavesdrop on a company. Outsiders can easily gain access to internal chat conversations, shared files, direct messages and even passwords to other services if these have been shared on Slack.” experts warned.
After being notified by Detectify in late March, Slack revoked the exposed tokens and notified affected users and team owners. The company says it will be on the lookout for publicly posted tokens and will alert affected customers.
Researchers noted that it’s easy to create a token that provides full access, but it’s more difficult to create a limited token. When private tokens are created, Slack informs users that they should treat their token as a password. However, many of the users notified by Detectify indicated that they had not known about the risks associated with a leaked token.
This is not the first time sensitive data has been found on GitHub. Shortly after advanced search was introduced in 2013, experts warned that the feature made it easy to uncover passwords, encryption keys and other potentially sensitive information in source code.
One year later, researchers reported that attackers had been scraping GitHub for AWS credentials that they abused in Bitcoin mining operations.