Security researchers have discovered that certain, not-particularly-bright, developers from a huge number of Forbes 500 companies are inadvertently leaking their firms' Slack login credentials onto public code repositories like GitHub, meaning anyone could try to read their messages.
The Slack corporate team messaging service has become hugely popular and now boasts over 2.7 million users around the world, in part because the Slack API and its tokens can easily be customised to create new services called "Slack bots" that use Slack to automate manual tasks.
But according to security firm Detectify, when developers build a new service and share the code for that service onto GitHub, they are forgetting to take out the Slack tokens that relate to their own personal corporate Slack account.
This means that pretty much anyone could go onto GitHub, search for Slack bot projects, read the code, locate the token and then use it to access the company's internet chats and files on Slack – and there's no way for anyone in the company to be able to tell that someone is eavesdropping on the conversation.
1,500 tokens from top companies just sitting on GitHub
Detectify discovered over 1,500 tokens from a huge range of companies, including Forbes 500 companies, payment providers, multiple internet service providers, healthcare providers, renowned advertising agencies, national newspapers and even university classes at some of the world's best-known academic institutions.
The security firm has informed Slack, which says it has revoked all the tokens that were found on GitHub by the security firm, and also notified all affected users and team owners directly.
Slack also says that it has always warned developers to be careful what they do with their tokens and to treat them with the same level of importance that is assigned to passwords. It will be seeking to pro-actively educate users and developers about this problem from now on.
"Best practice: NEVER COMMIT CREDENTIALS INSIDE CODE. EVER," Detectify's researchers wrote in the blog post.
"The first thing you should do is to create environment variables inside a file and ignore that file from the code repository from start.
"GitHub is full of sensitive data. Slack just made it really simple to search for their tokens due to how they are formed. We hope that this advisory might help people realise how big impact getting these tokens exposed really is."