Slack To Disable Thousands of Logins Leaked on GitHub (detectify.com)

← Back to Stories (view on slashdot.org)

Slack To Disable Thousands of Logins Leaked on GitHub (detectify.com)

Posted by EditorDavid on Saturday April 30, 2016 @12:30AM from the hacking-Slack dept.

An anonymous reader writes: Thursday one technology site reported that thousands of developers building bots for the team-collaboration tool Slack were exposing their login credentials in public GitHub repositories and tickets. "The irony is that a lot of these bots are mostly fun 'weekend projects', reported Detectify. "We saw examples of fit bots, reminding you to stretch throughout the day, quote bots, quoting both Jurassic Park...and Don Quixote...."

Slack responded that they're now actively searching for publicly-posted login credentials, "and when we find any, we revoke the tokens and notify both the users who created them, as well as the owners of affected teams." Detectify notes the lapse in security had occurred at a wide variety of sites, including "Forbes 500 companies, payment providers, multiple internet service providers and health care providers... University classes at some of the world's best-known schools. Newspapers sharing their bots as part of stories. The list goes on and on..."

27 comments

Min score:

Reason:

Sort:

I agree this is "bad" by acroyear · 2016-04-30 00:51 · Score: 2

Any time you keep credentials on a public hub is just a bad thing to do (in a "cross the streams" sense), and I addressed that in a blog entry back when bots were finding thousands of Amazon AWS and S3 OAuth credentials and secret keys made public on github.
But I do wonder, for libraries that give you an API token to use (Flickr, Trello), how should one use it in a pure html5 single-page client app, one that doesn't use any server proxy middleware. E.g., except for securing the API key, there's no reason for a flickr photo slideshow to ever need to talk to my own server: it should just talk to Flickr directly. Routing everything through my server as a proxy just for the API key would be horribly inefficient and expensive on my bandwidth, as well as unnecessarily slow.
But if I just leave the API key in the app's scripts, it can, with a little bit of research in the web console, be found by anybody looking for it. Even if I were to encrypt it in some way, that encryption could be cracked easily because everything needed to decode it could also be found because it all is in the javascript somewhere.
So what if any is the solution for efficient CORS-based HTML5 single page apps for APIs that require a key that you should attempt to secure in some way to prevent others from using the key to create abusive applications of their own?

--
"But remember, most lynch mobs aren't this nice." (H.Simpson)
-- Joe
1. Re:I agree this is "bad" by acroyear · 2016-04-30 00:55 · Score: 2
  
  answering my own, bookmarking to read later:
  http://billpatrianakos.me/blog...
  which was a follow-up to
  http://billpatrianakos.me/blog...
  
  --
  "But remember, most lynch mobs aren't this nice." (H.Simpson)
  -- Joe
2. Re:I agree this is "bad" by Anonymous Coward · 2016-04-30 02:56 · Score: 2, Interesting
  
  Routing everything through my server as a proxy just for the API key would be horribly inefficient and expensive on my bandwidth, as well as unnecessarily slow
  Isn't that exactly what is being suggested or did you mean everything vs. just the API requests?
  
  As for any functionality in your application that requires you to communicate with a third party API you don’t control, the answer is to make a simple CSRF secured AJAX call to your own back-end and then let your server-side application make the API call on behalf of your front-end then return the response back to your client-side app.
  My idea (probably not new or unique) would be a signed session key using your API key. So you get the API key and API ID from the third party. Someone requests your HTML5 page. You send them a signed session key (apiid:tempkey:validuntil:signature) in the HTML5 page. The request is made and the third party uses the "public" key to check the signature. You and the third party can limit API access per session, by time, etc. and you can add data with the session key (like read only) because it's been signed by you server side.
  It would have to be implemented by the third party but it seems like it might be in their interest.
3. Re:I agree this is "bad" by acroyear · 2016-04-30 03:04 · Score: 1
  
  This seems to be what JWT and other token-based auth systems are moving to, as I've kept reading up on things this morning. Thanks.
  
  --
  "But remember, most lynch mobs aren't this nice." (H.Simpson)
  -- Joe
shouldn't everyone by Gravis+Zero · 2016-04-30 01:04 · Score: 1

shouldn't every company that gives out private authentication tokens for developer to use should be monitoring sites like github and revoking any tokens found? when you sign up to get an authentication token it says you have to keep it secret or it will be revoked, so why aren't more people doing this?

--
Anons need not reply. Questions end with a question mark.
1. Re: shouldn't everyone by Anonymous Coward · 2016-04-30 01:19 · Score: 0
  
  Companies are supposed to grep every OSS and git repo on the planet?
  No, this fault lies squarely on the developers who 1) hardcoded their credentials in source/config files. And 2) uploaded those files to a public repo for the entire world to see.
  There is no protecting this kind of stupid. Those users get hacked is their own problem.
2. Re: shouldn't everyone by Anonymous Coward · 2016-04-30 02:14 · Score: 0
  
  I guess some people might still have legacy projects on Bitbucket, but seriously why would you not use GitHub?
3. Re: shouldn't everyone by Anonymous Coward · 2016-04-30 03:04 · Score: 0
  
  this. developers cannot be trusted with their own security. ive had this incident happen to several absent minded to careless colleagues and our reaction was to educate, eliminate. still happens.
4. Re:shouldn't everyone by Anonymous Coward · 2016-04-30 03:20 · Score: 0
  
  shouldn't every company that gives out private authentication tokens
  yes indeed the hardware store must hire minions to report on people who leave their car keys in the coffee shop
5. Re: shouldn't everyone by Anonymous Coward · 2016-04-30 13:54 · Score: 0
  
  embrace, educate, eliminate
  capcha: revisit... their grave...haha ha ha
6. Re:shouldn't everyone by tlhIngan · 2016-04-30 18:46 · Score: 1
  
  shouldn't every company that gives out private authentication tokens for developer to use should be monitoring sites like github and revoking any tokens found? when you sign up to get an authentication token it says you have to keep it secret or it will be revoked, so why aren't more people doing this?
  Why? You assume developers who ask for a key are smart enough to protect the things. I mean, they're developers, not users. They should be smart enough to know how to protect their keys. Especially when they use source code control systems.
  And scanning GitHub and others is just a small part of all the places you might find the key, so no company would be able to find them all.
What is Slack? by Anonymous Coward · 2016-04-30 01:17 · Score: 0

I can't keep up with all these new companies.
1. Re: What is Slack? by Anonymous Coward · 2016-04-30 02:49 · Score: 0
  
  IRC for newbs
2. Re:What is Slack? by Anonymous Coward · 2016-04-30 04:52 · Score: 0
  
  It's yet another in a continuing series of VC-backed companies and their useful idiot brogrammer employees shitting on the internet by deprecating open protocols and replacing them with closed equivalents, so they can sell your data and then completely fuck you in the ass once enough people are dependent on the service.
  Innovation(TM)!
3. Re:What is Slack? by LynnwoodRooster · 2016-04-30 16:53 · Score: 1
  
  It's this great tool that, instead of allowing you to bunch up communications and save them to answer at your own time (like e-mail), and have fully searchable database tools, filesets, and other attachments (like e-mail), and receive on virtually every device on the face of the earth (like e-mail), and filter/organize conversations by threading on subject or people (like e-mail), it channels all communications into a free-for-all LOOK AT ME NOW/ANSWER ME!!! kind of IRC channel for everyone. But it's on the cloud, so you KNOW it's gotta be good!
  
  --
  Browsing at +1 - no ACs, I ignore their posts. So refreshing!
Copy Paste Development by Anonymous Coward · 2016-04-30 01:21 · Score: 0

With a focus on making everyone a programmer, this is only going to get worse. These people don't understand what they're doing. They're mimicking by following tutorials, copy-pasting other people's code and making small changes. "It works, ship it" is bad when it is caused by deadline stress. It is unavoidable when the "developer" doesn't even understand 90% of the tutorial, but can make it work thanks to the enormous power of modern development environments. IoT is going to be a glorious hacker playground.
1. Re:Copy Paste Development by Anonymous Coward · 2016-04-30 02:32 · Score: 0
  
  With a focus on making everyone a programmer, this is only going to get worse. These people don't understand what they're doing. They're mimicking by following tutorials, copy-pasting other people's code and making small changes. "It works, ship it" is bad when it is caused by deadline stress. It is unavoidable when the "developer" doesn't even understand 90% of the tutorial, but can make it work thanks to the enormous power of modern development environments. IoT is going to be a glorious hacker playground.
  
  It's also the focus on making everything a webapp.
  From TFA:The simplicity of the Slack API and its tokens also inspire people to create services using Slack to automate manual tasks. This aligns well with the ChatOps movement, a conversation-driven development widely credited to GitHub. Using ChatOps enables you to do automation only by writing simple commands in a chat.
  You know what else enables you to do automation by writing simple commands?
  A fucking native command line executable that you invoke from a shell.
  $ make
2. Re: Copy Paste Development by Anonymous Coward · 2016-04-30 04:44 · Score: 0
  
  mod up pls. *1
Already revoked by Anonymous Coward · 2016-04-30 02:48 · Score: 0

Leave it to ArsTechnica to misreport. The tokens have been revoked prior to Detectify's post.
attack of the seven year olds by Anonymous Coward · 2016-04-30 03:18 · Score: 0

Any time you keep credentials on a public hub is just a bad thing to do

yes mommy, i left my locker key on the lunch table and they stole my stuff
tomorrow we will get advice on when to poop
Not leaked, published by Nkwe · 2016-04-30 05:30 · Score: 1

Headline implies a security problem at GitHub. Not correct. Developers are checking plaintext passwords (API keys) into a publicly accessible source control system. Still interesting and news relevant here, but not a breach to be sensationalized.
Odd Sense of Security by Anonymous Coward · 2016-04-30 05:36 · Score: 0

And yet an Incoming WebHook into Slack uses no authentication whatsoever. The payload is encrypted with SSL, but the string that routes to your team/channel is in clearcase in the URL. So, no, one can't see what's being sent to Slack, or directly know which team/channel it's talking to. But one can be a creeper and starting sending his own content, with attachments.
1. Re:Odd Sense of Security by Anonymous Coward · 2016-04-30 06:54 · Score: 0
  
  I'm interested in this for trol...uh...scientific purposes. Are you saying I could start anonymously flooding porn...er...."attachments" into random people's slack channels? How does that work?
Client Side Certificates by Anonymous Coward · 2016-04-30 05:51 · Score: 0

So when are we going to start using client-side certificates?