时间:2025-04-04 04:45:22 来源:网络整理编辑:新聞中心
If you perform a very specific query in the search field of online code repository Github, where man
If you perform a very specific query in the search field of online code repository Github, where many Slack bot projects are stored, you can get info that potentially lets you access a trove of corporate data, including companies' internal chats and files.
This is because a lot of Slack bot developers -- and there are a lot of them, since building a Slack bot is quite easy -- included their Slack tokens (personal Slack account credentials) directly in the code, which they share publicly on Github.
SEE ALSO:How do I make Slack apps?The issue was discovered by security company Detectify, which notified Slack about it on March 26. Detectify managed to find "thousands" of such tokens with a simple GitHub search. The story was first reported by Quartz.
Tokens of all types aren't uncommon on GitHub, but the problem is made worse by the way Slack tokens are constructed. In case of private tokens and custom bot tokens, they're a string of characters using these formats:
xoxp-XXXXXXXXX-XXXXXXXXXXXXXXXXXXX
xoxb-XXXXXXXXX-XXXXXXXXX-XXXXXXXXX-XXXXXX
Simply searching for the four letter prefixes on GitHub will net you a lot of tokens in plain text, which we were able to replicate.
If you've never built anything on the Slack platform, you may think this doesn't affect you, and in many cases that's true. But in larger business organizations, it's quite possible that some team member had built a Slack bot and inadvertently revealed their Slack token, potentially exposing company data.
Outsiders can easily gain access to internal chat conversations, shared files, direct messages and even passwords.
"Using the tokens it’s possible to eavesdrop on a company. Outsiders can easily gain access to internal chat conversations, shared files, direct messages and even passwords to other services if these have been shared on Slack," writes Detectify.
The researchers at Detectify have found tokens belonging to Fortune 500 companies, payment providers, Internet service providers health care providers, advertising agencies, university classes and newspapers, among other organizations. And using those tokens, they revealed database credentials, private messages and login details for other services.
The good news is the problem has largely already been fixed. Slack responded to the problem, telling Detectify they've “revoked the tokens you reported, notified affected users and team owners directly, and that we’ll be doing that proactively going forward”.
In other words, if someone makes the same mistake again, Slack will disable the tokens and warn them -- as seen in the message Slack recently started sending to some developers.
Developers, in general, should take care not to place tokens directly in the code and use environment variables instead. Slack admins can make sure only Team Owners and selected Slack members can create tokens and integrations; the option is in Slack's Admin Settings.
Mashablehas contacted Slack about the issue. "Slack is clear and specific that tokens should be treated just like passwords. We warn developers when they generate a token never to share it with other users or applications," a Slack spokesperson said in an email.
According to the spokesperson, Slack will continue to improve its documentation and communications to make sure developers understand this.
"For privacy reasons, we are not sharing information about the teams impacted, however, all of the reported tokens were disabled, as well as others we proactively found. We notified both the users who created the tokens, as well as the owners of affected teams," she wrote.
A popular platform for corporate communication (disclosure: We use Slack at Mashable), Slack boasted more than 2.3 million daily active users in February.
Have something to add to this story? Share it in the comments.
Two astronauts just installed a new parking spot on the International Space Station2025-04-04 04:07
22日賠率:尤文客場戰平黃潛 切爾西主場輕取裏爾2025-04-04 03:55
津媒 :中超大幅降薪已成趨勢 廣州隊再次引領中超“潮流”2025-04-04 03:40
國足集訓名單 :廣州隊10人巴西歸化4人在列 武磊缺席2025-04-04 03:26
We asked linguists if Donald Trump speaks like that on purpose2025-04-04 03:16
切爾西利好!芒特詹姆斯恢複訓練 有望出戰利物浦2025-04-04 03:02
吸粉 !中國女足將帥都愛利物浦 絕殺功臣粉薩拉赫2025-04-04 02:50
巴薩名宿 :梅西該回諾坎普退役 巴黎隻是群雇傭兵2025-04-04 02:47
Two states took big steps this week to get rid of the tampon tax2025-04-04 02:36
泰山隊國腳暫不參加球隊冬訓 外援預計在3月份陸續歸隊2025-04-04 02:06
Major earthquake and multiple aftershocks rock central Italy2025-04-04 04:11
奧巴梅揚 :我勸登貝萊與巴薩續約 哈蘭德又高又快2025-04-04 03:31
莫拉塔表忠心盼永留尤文 老婦人卻僅報價1500萬歐2025-04-04 03:29
荒唐 !拉莫斯因工資不如皮克而憤怒 拿他施壓皇馬2025-04-04 03:24
The Weeknd teases new music in Instagram post2025-04-04 03:15
切爾西利好 !芒特詹姆斯恢複訓練 有望出戰利物浦2025-04-04 03:07
梅州主帥有望繼續帶隊出戰中超 泰山球員楊意林已跟隊訓練2025-04-04 03:02
巴黎體育總監萊昂納多或下課 溫格接任搭檔齊達內 ?2025-04-04 02:12
Satisfy your Olympics withdrawals with Nike's latest app2025-04-04 02:12
俄羅斯航班因緊張局勢取消 曼聯臨時包機赴馬德裏2025-04-04 02:09