Pierluigi Paganini April 29, 2016

Developers often ignore that they are exposing sensitive data when they publish code containing their Slack access tokens on GitHub.

It was the year 2015, the month of March when Slack officially posted the following statement on their corporate blog:

“there was unauthorized access to a Slack database storing user profile information. We have since blocked this unauthorized access and made additional changes to our technical infrastructure to prevent future incidents.”

The incident prompted two new features to enhance security measures for Slack users/teams.  This included two-factor authentication (2FA) and “Password Kill Switch” for team owners.

Fast forward approx. a year, and Slack’s commitment to “take security seriously” had reassured its users that “every person and team using our service expects their data to be secure and confidential” (more here) has put Slack on the spotlight several times including this one.

The team at Detectify, the creators of a SaaS (security/software-as-a-service) based website security service that audit your company’s website security, have discovered an interesting “feature”.  This feature, called Slack bot, is Slack’s way of marinating authenticity and integrity of the developer and their code/script/program when other Slack users (dev-peers/team) use their code through a process of tokenization—the process of creating a unique ID with privileges such as digital signaling your work.

Think of tokenization as a handshake of a static key. To execute the code in an environment, the right parameters must be met. If the parameters aren’t met, then the security prevention measures will not allow the execution to take place and report an error.  Since, naturally, developers first thing on their mind is to code, they are often unaware of the security ramification when sharing their work to the world.  Github is one of those portals that these developers use to share their work and get ideas and even code contribution. But, what if someone else is able to obtain this token? And use this token to access more than just your code, your workspace or even be able to impersonate you?   Thanks to Detecity, they were able to produce this proof-of-concept and expose these Slack bot tokens that the developers use for their code in clear text through Github’s search engine.   More from Detectify post here.

It is important to note that tokenization is a safe and secure measure to adopt in developing software—in this case; however, not assigning the appropriate privileges on the token can and will put your data/code/work at risk leading to potential security incidents.  Since Slack bot takes care of that for the developer, its lack of setting the right privileges is placing Slack on the hot seat…again.

Still, I give credit where its due. Slack’s ongoing bug bounty on HackerOne  is thriving and active.  In fact, they are looking for security engineers.

Take away from all this:

“NEVER COMMIT CREDENTIALS INSIDE CODE. EVER”, Dectectify

Written by: Rami Shaath

Author Bio: With just under two decades of IT business-technology experience, Rami Shaath is a seasoned, accomplished professional with diverse background and talents spanning in technical, service delivery, and business-development disciplines in various roles and project lead across North America, Europe and the UAE.  He shifted his focus and passion towards cyber security, digital forensics investigations, malware research, threat hunting and intelligence 10 years ago thriving on anything that runs on 1s and 0s.

[adrotate banner=”9″]

Edited by Pierluigi Paganini

(Security Affairs – Slack, Data Leak)