Sloppy developers are leaving tokens in their public bot code that would let others listen in on company conversations and pull sensitive data.
Slack bots can brighten up any drab working environment, with motivational quotes or playful reminders. But researchers claim that loads of developers from Forbes 500 companies, payment providers and ISPs are inadvertently leaking Slack tokens in their bot code, exposing private messages and more.
By themselves, Slack bots obviously aren't a looming security issue. But it's when developers upload the bot's code along with tokens for interacting with their company's Slack accounts, publicly to Github or elsewhere, that serious problems arise.
"Because the code contains these tokens, the developer is actually giving anyone—that finds the token—access to the developer's company's internal chats and files on Slack. And not only that, there's no easy way to see if someone is eavesdropping on the communication," the post continues.
Not all Slack tokens are created equal, however, and have different types of access
Detectify claims it has found over 1,500 tokens that appear to be related to Slack. Although none of the companies or organisations are named, Detectify says some of the leaks are coming from universities, health care providers, newspapers, and advertising agencies too.
"Database credentials, login to continuous integration platforms and internal services, private messages to the token owner and files with passwords," are all things Detectify claims to have had found.
Not all Slack tokens are created equal, however, and have different types of access. A "xoxb-token," is restricted from using the "search.All" API, which would allow it to search using a query and pull all the results back in a list. "However, since it still has access to all channel's messages, all data can be retrieved using this token," Detectify writes.
The "xoxp-token," meanwhile, is just like having a username and password. "Even for a user with two factor authentication enabled, you can still access Slack with nothing else but this token," the post continues, and adds that with this, the search.All API can be used too.
Other types of tokens are leaking too, Detectify writes, but these are apparently the two most common, with 879 and 626 being exposed, respectively.
Detectify said it notified many of the companies affected, some of which then revoked the credentials, judging by screenshots published by the researchers, as well as Slack itself.
A spokesperson from Slack told Motherboard in an email that "Slack is clear and specific that tokens should be treated just like passwords. We warn developers when they generate a token never to share it with other users or applications. Our customers' security is of paramount importance to us, and we will continue to improve our documentation and communications to ensure that this message is urgently expressed."
Of course, this isn't really Slack's fault at all: developers are sloppily leaving their own tokens in code, and then uploading them publicly. And as Detectify points out, this isn't a new issue: In 2014, Forbes reported that attackers were hunting for Amazon server credentials to steal.
"NEVER COMMIT CREDENTIALS INSIDE CODE. EVER," Detectify writes.