Jump to content
  • Slack's private GitHub code repositories stolen over holidays

    alf9872000

    • 596 views
    • 4 minutes
     Share


    • 596 views
    • 4 minutes

    Slack suffered a security incident over the holidays affecting some of its private GitHub code repositories.

     

    The immensely popular Salesforce-owned IM app is used by an estimated 18 million users at workplaces and digital communities around the world.

    Customer data is not affected

    BleepingComputer has come across a security incident notice issued by Slack on December 31st, 2022.

     

    The incident involves threat actors gaining access to Slack's externally hosted GitHub repositories via a "limited" number of Slack employee tokens that were stolen.

     

    While some of Slack's private code repositories were breached, Slack’s primary codebase and customer data remain unaffected, according to the company.

     

    The wording from the notice [12] published on New Year's eve is as follows:

     

    "On December 29, 2022, we were notified of suspicious activity on our GitHub account. Upon investigation, we discovered that a limited number of Slack employee tokens were stolen and misused to gain access to our externally hosted GitHub repository. Our investigation also revealed that the threat actor downloaded private code repositories on December 27. No downloaded repositories contained customer data, means to access customer data, or Slack’s primary codebase."

     

    Slack has since invalidated the stolen tokens and says it is investigating "potential impact" to customers.

     

    At this time, there is no indication that sensitive areas of Slack's environment, including production, were accessed. Out of caution, however, the company has rotated the relevant secrets.

     

    "Based on currently available information, the unauthorized access did not result from a vulnerability inherent to Slack. We will continue to investigate and monitor for further exposure," states Slack's security team.

    Security update hidden from search engines?

    Ironically, the security update speaks of Slack taking your "security, privacy, and transparency very seriously," and yet comes with some caveats.

     

    For starters, this "news" item doesn't appear on the company's international news blog aside other articles, at the time of writing.

     

    Additionally, contrary to Slack's earlier blog posts, this update (when accessed in some regions, e.g. UK) is marked with 'noindex'—an HTML feature that is used to exclude a webpage from search engine results, thereby making it harder to discover the page.

     

    slack-noindex.jpg

    Slack security update slapped with a 'noindex' SEO tag (BleepingComputer)

     

    BleepingComputer further observed that the "meta" tag containing the "noindex" attribute was itself placed towards the bottom within the page's HTML code, in an elongated line that overflows without breaking. This means, those viewing the source code (like us) wouldn't readily get to see the buried tag unless they actively searched (Ctrl+F) the source code for it. Per convention, HTML head and meta tags are typically placed at the top of a page.

     

    slack-noindex-line.jpg

    Elongated line 149 containing the 'noindex' tag doesn't wrap (BleepingComputer)

     

    We noticed though, Google has already indexed the U.S. advisory published without the tag.

     

    Other techniques employed by businesses looking to limit the visibility of uncanny news may include the use of geo-fencing and tailoring the robots.txt file. Such techniques, including the use of 'noindex' in important announcements, are typically frowned upon. In some cases, though, 'noindex' attribute may be erroneously applied when the aim was to achieve generating 'canonical' links.

     

    Last year, infosec reporter and editor Zack Whittaker called out LastPass and GoTo for employing similar tactics with LastPass' 2022 security breach disclosure.

     

    In August 2022, Slack reset user passwords after accidentally exposing the password hashes in a separate incident. Unsurprisingly, that particular notice is also marked with a 'noindex' (both the U.S. and international versions).

     

    In 2019, Slack announced it had reset passwords for about 1% of users impacted by the 2015 data breach who additionally met a set criteria.

     

    The good news, with regards to the most recent security update is that no action needs to be taken by customers, for now.

     

    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...