One of the most popular features of the corporate messaging tool Slack is a simple API that allows developers to create helpful and fun automated business tools, known as Slack bots. However, some programmers are carelessly including their Slack tokens — credentials tied to personal Slack accounts — in their bots' coding, making the tokens accessible to bad actors whenever these bot projects are shared publicly, warned the research labs division of Swedish cybersecurity service Detectify, in a recent online post.
Developers endanger their place of business when using GitHub and online public repositories to share code containing embedded Slack tokens, because adversaries can find these tokens and use them to log into a developer's company's internal chats and files, silently spy on confidential communications and access source code, passwords to other services and other highly sensitive information.
Detectify has identified over 1,500 tokens that “match the pattern of a Slack token being publicly available on GitHub.” Slack responded to these findings, notifying Detectify that it has revoked these exposed tokens and alerted affected users.
