Developers building chat bots for popular team messaging system Slack are leaking their access tokens all over GitHub.
These credentials can be used to quietly log into organizations' private Slack chatrooms and silently snoop on conversations. According to web security biz Detectify, there's a lot of source code committed to public GitHub repositories with these access tokens left in:
Developers are leaking access tokens for Slack widely on GitHub, in public repositories, support tickets and public gists. They are extremely easy to find due to their structure. It is clear that the knowledge about what these tokens can be used for with malicious intent is not on top of people’s minds…yet.
Slack has become a widely used IRC-like messaging systems for corporations and organizations, and invites people to build software assistants – bots – that join channels, feed information to colleagues and answer questions.
So if you're building a Slack bot, check to make sure you aren't leaking your credentials all over the web. ®