Slack’s private GitHub code repositories stolen over holidays


Slack suffered a security incident over the holidays affecting some of its private GitHub code repositories.

The immensely popular Salesforce-owned IM app is used by an estimated 18 million users at workplaces and digital communities around the world.

Customer data is not affected

BleepingComputer has come across a security incident notice issued by Slack on December 31st, 2022.

The incident involves threat actors gaining access to Slack’s externally hosted GitHub repositories via a “limited” number of Slack employee tokens that were stolen.

While some of Slack’s private code repositories were breached, Slack’s primary codebase and customer data remains unaffected, according to the company.

The wording from the notice [1, 2] published on New Year’s eve is as follows:

“On December 29, 2022, we were notified of suspicious activity on our GitHub account. Upon investigation, we discovered that a limited number of Slack employee tokens were stolen and misused to gain access to our externally hosted GitHub repository. Our investigation also revealed that the threat actor downloaded private code repositories on December 27. No downloaded repositories contained customer data, means to access customer data, or Slack’s primary codebase.”

Slack has since invalidated the stolen tokens and says it is investigating “potential impact” to customers.

At this time, there is no indication that sensitive areas of Slack’s environment, including production, were accessed. Out of caution, however, the company has rotated the relevant secrets.

“Based on currently available information, the unauthorized access did not result from a vulnerability inherent to Slack. We will continue to investigate and monitor for further exposure,” states Slack’s security team.

Security update hidden from search engines

Ironically, the security update speaks of Slack taking your “security, privacy, and transparency very seriously,” and yet comes with some caveats.

For starters, this “news” item doesn’t appear on the company’s international news blog aside other articles, at the time of writing.

Additionally, contrary to Slack’s earlier blog posts, this update (when accessed in some regions, e.g. UK) is marked with ‘noindex’—an HTML feature that is used to purposely exclude a webpage from search engine results, thereby making it harder if not impossible to discover the page.

Slack security update marked with noindex SEO tag
Slack security update slapped with a ‘noindex’ SEO tag (BleepingComputer)

BleepingComputer further observed that the “meta” tag containing the “noindex” attribute was itself placed towards the bottom within the page’s HTML code, in an elongated line that overflows without breaking. This means, those viewing the source code (like us) wouldn’t readily get to see the buried tag unless they actively searched (Ctrl+F) the source code for it. Per convention, HTML head and meta tags are typically placed at the top of a page.

Line containing the noindex tag
Elongated line 149 containing the ‘noindex’ tag doesn’t wrap (BleepingComputer)

We noticed though, Google has already indexed the U.S. advisory published without the tag.

Other techniques employed by businesses looking to limit the visibility of uncanny news may include the use of geo-fencing and tailoring the robots.txt file. Such techniques, including the use of ‘noindex’ in important announcements, are typically frowned upon.

Last year, infosec reporter and editor Zack Whittaker called out LastPass and GoTo for employing similar tactics with LastPass’ 2022 security breach disclosure.

In August 2022,  Slack reset user passwords after accidentally exposing their password hashes in a separate incident. Unsurprisingly, that particular notice is also marked with a ‘noindex’ (the U.S. version as well).

In 2019, Slack announced it had reset passwords for about 1% of users impacted by the 2015 data breach who additionally met a set criteria.

The good news, with regards to the most recent security update is that no action needs to be taken by customers, for now.

Source link