Slack Facing Issues: Slack Bot Tokens Information Exposure

Slack Facing Issues: Slack Bot Tokens Information Exposure

Thursday – April 28, 2016 — Users of Slack, a team collaboration tool were alarmed when Slackbot tokens are leaked, and exposed confidential information of several businesses. This spells danger for companies since this issue of information breach might lead to serious damage, especially if those data are used against them.

blog-slack-issue

Slack HQ twitter account (https://twitter.com/SlackHQ/status/667116269523570688)

A Growing Reputation

blog-slack-bot

Slack HQ website (https://slackhq.com/slack-for-android-2-0-ddaaba29f421#.h7dprt9jb)

Ever since its materialization to the business world, Slack made a name for itself as one of the best communication software ever developed. Since then, more and more types of businesses also acquired the use of this messaging tool, for it helped teams of various businesses in terms of  working and communicating with each other.

I even remembered when Slack went down last year. Many users of the software almost went crazy, that concern posts flooded the Slack HQ Twitter account. This just proves that as time goes by, Slack has built a reputation of being a necessity for employees, and that another little slip can bring them back to sending pigeons.

Struggle for Confidentiality

It started when developers added Slack tokens to the code which is used for making Slack bots. Slack tokens contain information of the user’s Slack account, and since this is publicly shared with Github, anyone who would find these tokens can have access to any private information of the Slack user, like group and private conversations or even access to files with passwords that are being transferred within the software. The worst part is that it’s impossible for them to determine if someone is already in the system and using those information.

Detectify searched Github and identified thousands of available Slack tokens. These tokens belong to different kinds of businesses from manufacturing to healthcare and even educational facilities.

Learning the Lesson

Slack officials sent a response to Ars Technica regarding this issue:

“Slack is clear and specific that tokens should be treated just like passwords. We warn developers when they generate a token never to share it with other users or applications. Our customers’ security is of paramount importance to us, and we will continue to improve our documentation and communications to ensure that this message is urgently expressed.

We are monitoring for publicly posted tokens, and when we find any, we revoke the tokens and notify both the users who created them, as well as the owners of affected teams.”

What happened is a clear mistake on the developer’s part. They got careless of the information they have, and disclosed it with other applications. Still, hats off to Slack for continuously fixing the issue, but this should serve as a lesson for all developers out there.

They should always remember that one aspect all software developers consider is the secrecy of data. They should have known how they will protect the information being given by the users of their product from the get-go.