Developers leak Slack access tokens on GitHub, putting sensitive business data at risk

Researchers found more than 1,500 Slack access tokens for bots and accounts in public GitHub projects

Developers from hundreds of companies have included access tokens for their Slack accounts in public projects on GitHub, putting their teams' internal chats and other data at risk.

Slack has become one of the most popular collaboration and internal communication tools used by companies because of its versatility. The platform's API allows users to develop bots that can receive commands or post content from external services directly in Slack channels, making it easy to automate various tasks.

Many developers post the code for their Slack bots -- some of which are small personal projects -- on GitHub, but fail to remove the bots' access tokens. Some developers even include private tokens associated with their own accounts in the code.

Such tokens can provide access to chats, files, private messages, and other sensitive data shared inside the Slack teams where those developers or bots are members.

Researchers from website security firm Detectify found more than 1,500 Slack tokens on GitHub, some of the tokens providing access to teams from payment providers, Internet service providers, schools, advertising agencies, newspapers and health care providers.

Using those tokens, the researchers gained access to Slack teams and found database credentials, sensitive private messages, files containing passwords, and logins to continuous integration platforms and internal services.

"We also concluded from the internal communication inside Slack teams that people tend to be really sloppy with passing credentials in general," the Detectify researchers said in a blog post.

This is not the first time sensitive access tokens were exposed in projects hosted on GitHub. In 2014, one researcher found almost 10,000 access keys for Amazon Web Services and Elastic Compute Cloud left by developers inside publicly accessible code on GitHub.

Other researchers found credentials for back-end databases and services hard-coded in thousands of mobile apps, which can be easily unpacked and inspected.

"Never commit credentials inside code, ever," the Detectify researchers said. "The first thing you should do is to create environment-variables inside a file and ignore that file from the code repository from [the] start."

Slack allows team owners to restrict the creation of apps and custom integrations to only select members, instead of all of them.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Lucian Constantin

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Cate Bacon

Aruba Instant On AP11D

The strength of the Aruba Instant On AP11D is that the design and feature set support the modern, flexible, and mobile way of working.

Dr Prabigya Shiwakoti

Aruba Instant On AP11D

Aruba backs the AP11D up with a two-year warranty and 24/7 phone support.

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?