IT professionals need every advantage they can get when it comes to time management. That explains why team messaging service and bot-design tool Slack has become one of the most popular on the market with more than 2.7 million daily active users, according to Tech Times.
As noted SecurityWeek, however, there’s a problem: Some developers have been posting their projects publicly on file sharing services such as GitHub without removing their Slack access tokens. The result? It’s one of the easiest hacks ever for curious — but largely unmotivated — cybercriminals. Here’s the deal.
Slacking Off
One lauded feature of Slack is chatbot integration, which allows developers to create custom bots for a single task. However, security firm Detectify now warned this also presents a significant risk to corporate data.
Slack itself is off the hook — after all, its feature is doing exactly what’s on the box. The problem lies with developers. Many included their Slack access tokens in bot code and then made this code public, in effect giving cybercriminals keys to the corporate kingdom.
All cybercrooks need to do is scan GitHub, grab a token and then use it to gain chat and file access. So far, Detectify has found more than 1,500 tokens — such as xoxp private and xoxb custom bot tokens — from a host of different sources. Forbes 500 companies, payment providers, ad agencies and universities have all made the same mistake.
The Problem With Slack Access Tokens
After learning about the risk, Slack revoked the exposed tokens and said it will now keep an eye out for other access tokens that shouldn’t be part of public bot code. The problem? It may not help. Part of the reason stems from Slack access tokens themselves; while offering full access is easy, creating one with limited permissions is more cumbersome.
History also plays a role. As noted by Ars Technica, companies posting sensitive data on sites like GitHub isn’t a surprise. Last year, Uber stored the access key to a database containing the information of 50,000 drivers on a public page. Criminals regularly scour sharing services for corporate credentials, Web service logins and, now, access tokens.
Bottom line? Lazy and motivated cybercriminals alike would love it if companies would just relax, assume the best and post whatever they want online. After all, it’s far less work to walk through an open door than smash a window. Better still, using legitimate access credentials gives attackers a measure of time to play undetected in corporate networks.
The bot builder is working hard to keep businesses safe from their own poor judgment, but the best Slack can do is damage control. If companies want to stay safe, it’s time to up the effort: Any code moving from private to public needs a credential cleaning before it hits the Web.