Developers building bots for Slack are including their personal access tokens in code posted on GitHub, researchers have found, a problem that could give anyone who finds the tokens access to internal Slack conversations and files.
Slack is a team communications app used in many organizations to share information, files, and other data. Developers can write bots that perform specific actions, such as responding to common questions, and researchers at Swedish security firm Detectify discovered that hundreds of developers are including their tokens in code snippets posted publicly on GitHub. Slack tokens are essentially credentials for users and developers, and developers are including their own tokens in their bot code, the researchers found.
Slack tokens are structured in a highly specific way that the researchers say is easy to find on GitHub. The tokens have a prefix with a hyphen and then the rest of the token, and the Detectify researchers said that searching for the prefix on GitHub makes the tokens easily findable.
“In the worst case scenario, these tokens can leak production database credentials, source code, files with passwords and highly sensitive information. The Detectify Team have already been able to find thousands of tokens by simply searching GitHub; and new tokens are becoming publicly available every day,” researchers at Detectify Labs wrote in a disclosure of the issue.
The consequences of an attacker getting access to a developer’s token could be quite serious.
“Using the tokens it’s possible to eavesdrop on a company. Outsiders can easily gain access to internal chat conversations, shared files, direct messages and even passwords to other services if these have been shared on Slack,” the researchers said.
There are several different kinds of Slack tokens, including a custom bot token and a private token. The private token is the most powerful, and functions like a full username and password combination. With that token, an attacker could get full access to a target Slack channel. Detectify’s researchers said they found 626 private tokens on GitHub.
“Even for a user with two factor authentication enabled, you can still access Slack with nothing else but this token,” the researchers said.
Detectify contacted Slack about the issue, and the company has responded by sending a message to teams with leaked tokens, informing them of the problem and disabling any leaked tokens.