时间:2024-09-20 08:00:39 来源:网络整理编辑:娛樂
If you perform a very specific query in the search field of online code repository Github, where man
If you perform a very specific query in the search field of online code repository Github, where many Slack bot projects are stored, you can get info that potentially lets you access a trove of corporate data, including companies' internal chats and files.
This is because a lot of Slack bot developers -- and there are a lot of them, since building a Slack bot is quite easy -- included their Slack tokens (personal Slack account credentials) directly in the code, which they share publicly on Github.
SEE ALSO:How do I make Slack apps?The issue was discovered by security company Detectify, which notified Slack about it on March 26. Detectify managed to find "thousands" of such tokens with a simple GitHub search. The story was first reported by Quartz.
Tokens of all types aren't uncommon on GitHub, but the problem is made worse by the way Slack tokens are constructed. In case of private tokens and custom bot tokens, they're a string of characters using these formats:
xoxp-XXXXXXXXX-XXXXXXXXXXXXXXXXXXX
xoxb-XXXXXXXXX-XXXXXXXXX-XXXXXXXXX-XXXXXX
Simply searching for the four letter prefixes on GitHub will net you a lot of tokens in plain text, which we were able to replicate.
If you've never built anything on the Slack platform, you may think this doesn't affect you, and in many cases that's true. But in larger business organizations, it's quite possible that some team member had built a Slack bot and inadvertently revealed their Slack token, potentially exposing company data.
Outsiders can easily gain access to internal chat conversations, shared files, direct messages and even passwords.
"Using the tokens it’s possible to eavesdrop on a company. Outsiders can easily gain access to internal chat conversations, shared files, direct messages and even passwords to other services if these have been shared on Slack," writes Detectify.
The researchers at Detectify have found tokens belonging to Fortune 500 companies, payment providers, Internet service providers health care providers, advertising agencies, university classes and newspapers, among other organizations. And using those tokens, they revealed database credentials, private messages and login details for other services.
The good news is the problem has largely already been fixed. Slack responded to the problem, telling Detectify they've “revoked the tokens you reported, notified affected users and team owners directly, and that we’ll be doing that proactively going forward”.
In other words, if someone makes the same mistake again, Slack will disable the tokens and warn them -- as seen in the message Slack recently started sending to some developers.
Developers, in general, should take care not to place tokens directly in the code and use environment variables instead. Slack admins can make sure only Team Owners and selected Slack members can create tokens and integrations; the option is in Slack's Admin Settings.
Mashablehas contacted Slack about the issue. "Slack is clear and specific that tokens should be treated just like passwords. We warn developers when they generate a token never to share it with other users or applications," a Slack spokesperson said in an email.
According to the spokesperson, Slack will continue to improve its documentation and communications to make sure developers understand this.
"For privacy reasons, we are not sharing information about the teams impacted, however, all of the reported tokens were disabled, as well as others we proactively found. We notified both the users who created the tokens, as well as the owners of affected teams," she wrote.
A popular platform for corporate communication (disclosure: We use Slack at Mashable), Slack boasted more than 2.3 million daily active users in February.
Have something to add to this story? Share it in the comments.
Daughter gives her 1002024-09-20 07:59
尤文前瞻:斑馬軍團必勝之戰 鋒線傷員多進攻堪憂2024-09-20 07:52
張琳芃蔣光太複出廣州隊力爭首勝 鄭智有需要或將登場2024-09-20 07:43
大連人主帥:外援對中超隊都很重要 我們要提升進攻效率2024-09-20 07:43
Nate Parker is finally thinking about the woman who accused him of rape2024-09-20 07:29
蔣光太:雖不是預料中的結果但大家盡力了 很高興可以重回賽場2024-09-20 07:23
哈維 :巴薩目標前四但仍想爭冠 經濟困難難買哈蘭德2024-09-20 07:21
塞維利亞VS馬德裏競技前瞻 :爭冠組上演火星撞地球2024-09-20 07:04
J.K. Rowling makes 'Harry Potter' joke about Olympics event2024-09-20 07:03
國足新帥李霄鵬上任即遇難題 京魯大戰後兩位國腳賽季報銷2024-09-20 06:38
Pole vaulter claims his penis is not to blame2024-09-20 07:51
廣州隊賽前海報 :我們不是一個人在戰鬥 身後還有萬千球迷2024-09-20 07:47
官方:受疫情影響山東VS國安更換場地 海港VS廣州城推遲開球2024-09-20 07:39
西班牙人前瞻 :武磊聯賽或重回替補 力爭客場首勝2024-09-20 07:28
Nancy Pelosi warns colleagues after info hacked2024-09-20 07:25
官方 :埃裏克森與國米完成解約 因心髒問題無奈告別2024-09-20 06:49
官方:埃裏克森與國米完成解約 因心髒問題無奈告別2024-09-20 06:18
國米2021年意甲狂轟100球 豪取6連勝欲讓米蘭絕望2024-09-20 06:01
'Rocket League' Championship Series Season 2 offers $250,000 prize pool2024-09-20 05:31
踢瘋了!恰球王7場造10球 5進球5助攻神技冠絕意甲2024-09-20 05:18