Popular collaboration and communication firm Slack rushed to plugged a security hole in its platform Thursday that was leaking some of its users’ private chats and files for anyone to access.
Slack, a leading tool used by companies to communicate internally, was alerted by security firm Detectify Labs who discovered Slack users were unwittingly sharing sensitive company information on the dev site GitHub.
GitHub, another popular service used by the developer community to collaborate on projects, was unknowingly hosting hundreds of Slack bots that contained API information (or Slack tokens) that unintentionally gave third parties access to private Slack networks and data stored on them.
Slack bots are created by companies to be used on their private Slack platform. They can serve either silly or serious purposes. For example, a Slack bot could be programmed to reboot servers by a user who simply types the request “Slack bot, please reboot server”. Another Slack bot request might be “What’s the weather for tomorrow?”
Over the years, thousands of Slack bots have been created by companies to carry out these conversational instructions. Hundreds of those developers decided to share their Slack bot programming code on sites such as GitHub. The idea is, other developers might want to reuse a useful Slack bot or modify the code so the Slack bot can do something new.
“These developers were proud of their creation. They wanted to share their hard work with the rest of the developer community,” said Rickard Carlsson, CEO of Detectify in an interview with Threatpost.
That’s where developers ran into trouble. Unbeknownst to the developers sharing their Slack bots with GitHub was the fact they were also uploading their company’s unique API key or token inside the Slack bot code. That meant a third-party could remove the Slack token and use it to hack into the Slack account of the person who originally created it.
When Detectify searched for Slack tokens left behind on GitHub it discovered that those tokens could be used to access chats, files and private message data shared among Slack developer teams.
Affected, Carlsson told Threatpost, were tokens belonging to individual users but also Fortune 500 companies, payment providers, multiple internet service providers and health care providers. In one case, Detectify reported it stumbled upon everything from “renowned advertising agencies that want to show what they are doing internally. University classes at some of the world’s best-known schools. Newspapers sharing their bots as part of stories.”
In a blog post outlining its discovery Thursday, Detectify wrote, “In the worst case scenario, these tokens can leak production database credentials, source code, files with passwords and highly sensitive information.” Detectify said it discovered the flaw earlier this month.
At first, Slack acknowledged the problem, but reminded researchers at Detectify that it’s the users’ responsibility to not share tokens and remove them when they are no longer needed. Slack has since updated its positions on tokens, telling Detectify “We’re proactively looking for tokens ourselves now, and reaching out to customers to let them know when we’ve disabled tokens and where we found them. We’ll deactivate these in the next batch.”
Slack’s email sent to its customers explaining the situation can be read online via Detectify’s website. In it the company said it would seeking out tokens it believed companies did not want to share intentionally, and deactivating them. “To help protect your team’s information, we’re taking the precautionary step of permanently disabling the affected tokens on your behalf,” it wrote.
In a separate statement made to press Slack stated: “Slack is clear and specific that tokens should be treated just like passwords. We warn developers when they generate a token never to share it with other users or applications. Our customers’ security is of paramount importance to us, and we will continue to improve our documentation and communications to ensure that this message is urgently expressed.”
Detectify’s last piece of advice: “Never commit credentials inside code. Ever.”