时间:2026-07-07 18:09:07 来源:网络整理编辑:熱點
If you perform a very specific query in the search field of online code repository Github, where man
If you perform a very specific query in the search field of online code repository Github, where many Slack bot projects are stored, you can get info that potentially lets you access a trove of corporate data, including companies' internal chats and files.
This is because a lot of Slack bot developers -- and there are a lot of them, since building a Slack bot is quite easy -- included their Slack tokens (personal Slack account credentials) directly in the code, which they share publicly on Github.
SEE ALSO:How do I make Slack apps?The issue was discovered by security company Detectify, which notified Slack about it on March 26. Detectify managed to find "thousands" of such tokens with a simple GitHub search. The story was first reported by Quartz.
Tokens of all types aren't uncommon on GitHub, but the problem is made worse by the way Slack tokens are constructed. In case of private tokens and custom bot tokens, they're a string of characters using these formats:
xoxp-XXXXXXXXX-XXXXXXXXXXXXXXXXXXX
xoxb-XXXXXXXXX-XXXXXXXXX-XXXXXXXXX-XXXXXX
Simply searching for the four letter prefixes on GitHub will net you a lot of tokens in plain text, which we were able to replicate.
If you've never built anything on the Slack platform, you may think this doesn't affect you, and in many cases that's true. But in larger business organizations, it's quite possible that some team member had built a Slack bot and inadvertently revealed their Slack token, potentially exposing company data.
Outsiders can easily gain access to internal chat conversations, shared files, direct messages and even passwords.
"Using the tokens it’s possible to eavesdrop on a company. Outsiders can easily gain access to internal chat conversations, shared files, direct messages and even passwords to other services if these have been shared on Slack," writes Detectify.
The researchers at Detectify have found tokens belonging to Fortune 500 companies, payment providers, Internet service providers health care providers, advertising agencies, university classes and newspapers, among other organizations. And using those tokens, they revealed database credentials, private messages and login details for other services.
The good news is the problem has largely already been fixed. Slack responded to the problem, telling Detectify they've “revoked the tokens you reported, notified affected users and team owners directly, and that we’ll be doing that proactively going forward”.
In other words, if someone makes the same mistake again, Slack will disable the tokens and warn them -- as seen in the message Slack recently started sending to some developers.
Developers, in general, should take care not to place tokens directly in the code and use environment variables instead. Slack admins can make sure only Team Owners and selected Slack members can create tokens and integrations; the option is in Slack's Admin Settings.
Mashablehas contacted Slack about the issue. "Slack is clear and specific that tokens should be treated just like passwords. We warn developers when they generate a token never to share it with other users or applications," a Slack spokesperson said in an email.
According to the spokesperson, Slack will continue to improve its documentation and communications to make sure developers understand this.
"For privacy reasons, we are not sharing information about the teams impacted, however, all of the reported tokens were disabled, as well as others we proactively found. We notified both the users who created the tokens, as well as the owners of affected teams," she wrote.
A popular platform for corporate communication (disclosure: We use Slack at Mashable), Slack boasted more than 2.3 million daily active users in February.
Have something to add to this story? Share it in the comments.
Fyvush Finkel, Emmy winner for 'Picket Fences,' dies at 932026-07-07 18:00
4名中國裁判執法國足熱身賽 足協要求嚴格按12強賽標準2026-07-07 17:11
足協杯抽簽儀式舉行:海港申花有望半決賽相遇2026-07-07 16:54
鐵板凳換主力 ?曝曼聯有意用範德貝克換國米鐵衛2026-07-07 16:52
The U.S. will no longer have the final say on internet domain names2026-07-07 16:50
蘇亞雷斯:梅西想在巴薩退役 科曼把我當15歲小孩2026-07-07 16:45
曝越南足協將與主帥樸恒緒續約一年 合約至2022年底2026-07-07 16:13
剪刀石頭布之神 !43歲布馮與隊友玩遊戲 連勝多人2026-07-07 16:02
Olympics official on Rio's green diving pool: 'Chemistry is not an exact science'2026-07-07 15:45
官方:前英格蘭國腳斯圖裏奇加盟澳超珀斯光榮2026-07-07 15:40
Researchers create temporary tattoos you can use to control your devices2026-07-07 16:45
粵媒:中敘熱身就是針對越南戰術演習 國足體能有優勢2026-07-07 16:27
法甲球迷又鬧事!“炮轟”客隊球迷看台 比賽暫停8分鍾2026-07-07 16:15
廣州隊告別卡納瓦羅僅是開始 7名一線隊球員合同將到期2026-07-07 16:09
WhatsApp announces plans to share user data with Facebook2026-07-07 16:04
歐冠單場MVP :薩內什克領銜 巴薩皇馬慘案締造者2026-07-07 16:02
申花落入足協杯死亡之組 泰山隊成為奪冠大熱門2026-07-07 15:54
國足心態成最大問題 長期海外封閉集訓感到焦慮2026-07-07 15:31
WhatsApp announces plans to share user data with Facebook2026-07-07 15:29
中敘熱身賽前國足訓練減量 保護球員身體健康非常重要2026-07-07 15:22