Threat Intelligence, Incident Response, Network Security, TDR

Slack users expose corporate credentials while creating new ‘bot’ tools

One of the most popular features of the corporate messaging tool Slack is a simple API that allows developers to create helpful and fun automated business tools, known as Slack bots. However, some programmers are carelessly including their Slack tokens — credentials tied to personal Slack accounts — in their bots' coding, making the tokens accessible to bad actors whenever these bot projects are shared publicly, warned the research labs division of Swedish cybersecurity service Detectify, in a recent online post.

Developers endanger their place of business when using GitHub and online public repositories to share code containing embedded Slack tokens, because adversaries can find these tokens and use them to log into a developer's company's internal chats and files, silently spy on confidential communications and access source code, passwords to other services and other highly sensitive information.

Detectify has identified over 1,500 tokens that “match the pattern of a Slack token being publicly available on GitHub.” Slack responded to these findings, notifying Detectify that it has revoked these exposed tokens and alerted affected users.

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.