Monday 2 May 2016

Slack Access Token Leaked on GitHub, Business Data On Risk

Slack Access Token Leaked on GitHub, Business Data On Risk

Slack, a popular cloud-based collaboration based tool developed. It is mainly used for internal communication in any company. Recently, a news has been flashed that rushed to create a security hole. 

Last week, it was announced that it has leaked some private chats and confidential information.
It is a leading tool used by the companies to communicate internally but it was warned by a security firm named Detective Labs who told them that Slack users are sharing their company private and important information unknowingly on the Dev website named GitHub . 

GitHub , a web-based hosting service. It provides access to the source code of the Git as well as it allows to add new Features.

It’s a service that is providing services to a no of developers and unknowingly hosting a no of Slack Bots. Slack bots contain so many API’s that contained API information (Token).

Slack bots are the inbuilt robots of Slack’s that can help you in your profile completion and integration setup , it can also act as your personal , private , always search , accessible notepad, gives automatic responses to your messages.

The examples of Slack bots how they work . They can serve as both for serious as well as silly purposes. 

For ex- if you want to say to your Slack bot to reboot your server you just have to type the message - “Slack bot, please reboot server”.

For so many years several companies have created several number of slack bots for their internal conversation . Some of the developers have decided to share this source code of this Slack bots to the Dev website GitHub so that some other developers can use their code and by modifying or adding some codes , they can use their developed code Slack Bots to do some other task.

You know developers feels very proud of for these codes and when they share these codes to the website of GitHub , by unknowingly the are also sharing the tokens or we can say API keys of their companies inside that Slack Bot codes.It means in that codes they are sharing the keys for the locker of their companies confidential data , private chats and messages.

The prime concern is that by hacking these tokens from the code , any person can hack the account of that Slack Bot creator and have access to the account.

Detectify identified the conclusion that hacker can have access to all the data that are shared in the Slack Bot account.

In a blog, Detectify has written that in worst case these token can provide access to database credentials, passwords, file access , source codes and highly sensitive information.

Slack gave $5000 bounty to security researcher for the report.


Post a Comment

Note: only a member of this blog may post a comment.

Toggle Footer