Developers are leaking access tokens for Slack on GitHub in public repositories, support tickets, and public gists, security researchers from Detectify have found.
“They are extremely easy to find due to their structure,” Detectify warned, adding that it is clear that the knowledge about what these tokens can be used with malicious intent is not on top of people’s minds yet.
Using the tokens, it is possible to eavesdrop on a company, the researchers said.
Outsiders can easily gain access to internal chat conversations, shared files, direct messages and even passwords to other services if these have been shared on Slack.
Detecitfy said that it was able to identify over 1,500 strings that match the pattern of a Slack token that are publicly available on GitHub.
These tokens belong to different users and companies, among them Forbes 500 companies, payment providers, Internet service providers, and health care providers.
With the tokens it identified, Detectify said it was able to find database credentials, login to continuous integration platforms and internal services, see private messages to the token owner, and files with passwords.
“We also concluded from the internal communication inside Slack teams, that people tend to be really sloppy with passing credentials in general,” the researchers said.
Following the disclosure of the security problem, Slack said that it has revoked the tokens Detectify reported, notified affected users and team owners directly, and promised that they would be doing that proactively from now on.