Over the past few months, several security researchers have used our bug bounty program to report Slack customers who’ve accidentally posted their Slack authentication tokens to publicly accessible code-sharing websites like Github and Pastebin.
Authentication tokens are password-like strings that users can generate that allow bots, scripts, or other programs to integrate with their Slack team. Slack is far from the only product to provide authentication tokens; tokens are the primary authentication mechanism used by developers across the web because they securely allow services and scripts to work together.
Most of Slack’s customers will never even see an authentication token, let alone run the risk of accidentally posting it online. However, if you’re a developer who is working on a bot, script, app, or other integration, we ask you to please exercise caution with your tokens — double-check your work before sharing any of your code online. (And this applies not just to Slack, but to any development you’re doing for any service that requires a token.) Remember, anyone who has access to your authentication token can perform whatever actions were scoped for that token. In some cases, tokens have full read and write access to every channel and file visible to the user who generated the token. In other words, it can be exactly like sharing your Slack password on the internet.
Since receiving the initial bug bounty report, we have begun proactively monitoring common code-sharing sites for these tokens. When we find a token, we revoke it (which renders it useless) and notify the affected user and team owner. We’ve identified and revoked several hundred tokens this year. If you’d like a sense of scale of this issue, fewer than 0.01% of Slack’s users have made this mistake — most of you are doing a great job securing your tokens, and we thank you for that.
The old adage about an ounce of prevention being worth a pound of cure holds very true here. While we will do our best to find and revoke tokens that are accidentally made public, we cannot guarantee that we’ll be able to find and revoke every single one — the internet is a large place and, as you may know, it is very easy to post content online.
We’ll continue to do our best to find tokens posted publicly, and we’ll always revoke them as we find them. However, it would be best if they were never made public in the first place — it is up to you to keep your information secure. Please remember to practice good hygiene with any code you post online.
From the team at Slack (and all of your Slack team’s members): thank you!