You Built a Slack Bot to Read Your Team the News and It Told Everyone Everything

Did your dev just post his password on Github?

Stewart Butterfield, CEO of Slack, speaks onstage at The New York Times New Work Summit on March 1, 2016.
Stewart Butterfield, CEO of Slack, speaks onstage at The New York Times New Work Summit on March 1, 2016.

If you work anywhere in tech or even a tech adjacent industry, you probably know about Slack. It’s the new intranet for teams, meant to both replace e-mail and better integrate with all the other services professionals use every day (such as Asana, Google Analytics and Trello). However, programmatic integration of those services is putting companies’ sensitive communications at risk, according to security researchers.

Companies like Slack try to win over the toughest employees in any office—the IT crowd and programmers—by letting them build tools atop the cloud-based software’s database, using the Slack API.

And software engineers have been using that API. For example, they have been building bots for Slack that integrate with other services. These bots automatically complete tasks such as sending teams updates about site metrics, answering simple questions or monitoring employee morale. There are so many Slack bots, that the category even has its own little version of Product Hunt.

People are doing fun stuff with Slack bots, no question, but they also appear to sometimes be exposing everything their companies do inside Slack to clever adversaries who want access to that information. That’s according to the security firm Detectify, which published a new blog post on the topic this morning, writing, “The problem is that many developers tend to include Slack tokens—credentials tied to their personal Slack account—directly in the code when building Slack bots.”

Developers proud of their projects post their bots’ code on Github (the go-to place for developers to collaborate on open source projects but also to show off their best work to potential future employers). There, adversaries can find the tokens. It’s one of those surprising vulnerabilities that get introduced when companies rely on layers and layers of cloud services, as we reported on previously in a conversation with Jeff Moss, a.k.a. Dark Tangent.

Detectify is the same company that previously warned Patreon about its vulnerability prior to a major security breach and exposed several Chrome extensions tracking absolutely everything their users do in their browsers.

This exposure is very serious. “In the worst case scenario, these tokens can leak production database credentials, source code, files with passwords and highly sensitive information,” the Detectify team writes. 

Many non-Slack users may not appreciate just how much information companies share on Slack. A leader at a smallish startup told the Observer in an email, “We use slack a ton. Lots of it casual chit chat humor but also for document sharing and sending and key business communication.” That executive added that the service is central to some other companies’ operations as well.

In this vulnerability, some major organizations have been exposed, according to the blog post:

Up until now we’ve identified over 1500 tokens that match the pattern of a Slack token being publicly available on GitHub. These tokens belong to different users and companies; among them Forbes 500 companies, payment providers, multiple internet service providers and health care providers.

This is the mistake that developers have been making: as they publish their Slack bot’s code on Github, they have been leaving either OAuth tokens or slightly less insecure tokens built just for bots in the code when they post it.

Slack’s API documentation is clear about this: OAuth tokens should be treated just like passwords, but developers have been ignoring that advice. Worse, the very structure of those tokens makes them easy to find using Github’s built in search functions, as the blog post explains.

Since Detectify reported the security blunder to Slack on March 26th, the company has told Detectify that it is now actively seeking out publicly posted tokens and deactivating them, according to the blog post.

There’s been a great deal of buzz about bots since Facebook opened Messenger up to media companies and startups with data to share. That, and since Microsoft had its colossal blunder creating a Twitter bot meant to learn language from the internet.

There’s no question that messaging is a sizzling hot sector right now, but a sweet bot probably isn’t going to save a company or prove its business model, despite rather breathless pronouncements about the market’s potential.

In fact, as Detectify has spelled out today, a poorly executed bot strategy could even sink a venture.

You Built a Slack Bot to Read Your Team the News and It Told Everyone Everything