To Customer Support To Customer Support

Slack API Credentials Left in GitHub Repos Open New Door for Corporate Hacking

  • 29 April 2016
  • 4 replies
  • 3 views
Jasper_The_Rasper
Rank
Userlevel 7
Badge +54

Human error strikes again by exposing small and large companies to a new attack vector via Slack channels

 
                                      http://i1-news.softpedia-static.com/images/fitted/340x180/slack-api-credentials-left-in-github-repos-open-new-doors-for-corporate-hacking.jpg
 
Apr 28, 2016 22:10 GMT  ·  By Catalin Cimpanu Careless developers from companies around the world have forgotten to remove sensitive API access tokens from Slack bots uploaded on GitHub, security researchers from Detectify Labs reported today.
 
Security experts claim they've found over 1,500 Slack access tokens while scanning GitHub projects. Most of these tokens have been found in Slack bots, small apps that allow developers to automate various operations inside Slack channels.
 
Slack is one of today's most successful Silicon Valley companies, enabling users to create private or public chat rooms, on demand, to use for personal purposes or for their businesses.
 
Full Article

4 replies

Baldrick
Rank
Userlevel 7
Once again another case of poor security-related system testing by dvelopers...just cannot understand why that is. Was always taught that system testing is key and in the current climate one would expect there to be a heavy focus on security centric aspects of any app. :(
Webroot SecureAnywhere Complete Beta Tester v9.0.24.49, imaged by Macrium Reflect v7.2
R
Rank
Userlevel 7
By Eduard Kovacs on April 29, 2016
 
Many developers unknowingly expose sensitive data, including business-critical information, when they publish code containing their Slack access tokens on GitHub.
Slack, the popular cloud-based team collaboration tool, allows developers to create bots that help them automate certain tasks. For instance, there are project management bots, out-of-office bots, game bots, and even ones that remind users to exercise.
In many cases these bots are created as hobby projects and developers don’t realize that their code includes an authentication token for their Slack account. By sharing their projects publicly on GitHub, developers allow others to copy these tokens and use them to gain access to their chats and files.
A GitHub search conducted by security firm Detectify turned up more than 1,500 tokens that allow access to potentially sensitive information, including xoxp private tokens and xoxb custom bot tokens.
 
full article here:
Jasper_The_Rasper
Rank
Userlevel 7
Badge +54
By Tom Spring April 30, 2016
 
                                          



Popular collaboration and communication firm Slack rushed to plugged a security hole in its platform Thursday that was leaking some of its users’ private chats and files for anyone to access.

Slack, a leading tool used by companies to communicate internally, was alerted by security firm Detectify Labs who discovered Slack users were unwittingly sharing sensitive company information on the dev site GitHub.

GitHub, another popular service used by the developer community to collaborate on projects, was unknowingly hosting hundreds of Slack bots that contained API information (or Slack tokens) that unintentionally gave third parties access to private Slack networks and data stored on them.
 
Full Article
Baldrick
Rank
Userlevel 7
It is quite surprising sometimes as to the knock on effects that an exploit leads to, and quite well demonstrates the interconnectability of many of the thinsg we take for granted.
Webroot SecureAnywhere Complete Beta Tester v9.0.24.49, imaged by Macrium Reflect v7.2

Reply


Terms & Conditions

© 2004 - Webroot Inc.

We have recently updated our Privacy Policies. We encourage you to read the full terms here.