Cruising GitHub For Slack Webhook Tokens

GitHub is an incredibly powerful tool for sharing source code, and its value to the modern hacker can’t be overstated. But there’s at least one downside to effortlessly sharing your source: it’s now much easier for the whole world to find out when you screw up. Back in the day, if you accidentally left a username or password in a tarball hosted on your site, you could pull it down before anyone noticed. But push something like that up to GitHub, and you’ve got a problem on your hands.

For an example, look no farther than this tool that crawls GitHub for Slack webhooks written by [Michele Gruppioni]. Exploiting the fact that Slack webhook links have a predictable format, the tool searches repositories to find code that erroneously includes the authentication token. With the token in hand, an attacker now has the ability to send unsolicited messages into that channel.

But [Michele] restrained himself and didn’t Rickroll the over 6,500 Slack channels he had access to after searching GitHub with his tool. Instead, he sent them all a friendly message explaining their webhook tokens were available on GitHub, and gave them a link to where they could get more information about his project.

Most of the people who contacted him after the fact appreciated that he sent a gentle warning and not something unsavory. Still, we’d recommend caution to anyone looking to expose a vulnerability in this manner. While [Michele] had honorable intentions, it’s certainly not unheard of for an embarrassed administrator to blame the messenger.

When used properly, webhooks can be a very handy way of pushing data into your chat platform of choice. We’ve previously looked at a practical example of a weather station that pushes current conditions into a Discord channel. Just try not to accidentally commit your authentication token to the world’s largest database of open source projects, or you might receive more than you bargained for.

19 thoughts on “Cruising GitHub For Slack Webhook Tokens

  1. I don’t know if I could have shown such restraint. Having had to use slack in the past and hating every single second of it, I truly can say I can not stand slack or any similar paradigms and I wish them all to burn to ashes because I believe that on a whole these are solutions in search of a problem that does not exist and they actually make work and communication more difficult, obfuscated and less effective.

    I would have flooded those channels with NSFW content, no doubt.

          1. In most cases the choice for Slack is a management issue. Any management that chooses the hip thing because promises of “magic” will most likely not be able to properly steer communication anyway.

            The problem in this scenario is that management has chosen the least suitable form of communication, effectively lowering the chances of people using normal channels and common sense to zero.

            I actually understand people who are forced to use Slack or similar garbage to completely shut out other media simply because dealing with that one pile of horse manure is time consuming enough. Why use mail AND slack, we have work to do! It would drive me bonkers switching from structuring email to chat mode every fifteen minutes.

          2. Not a management issue. These +$100k a year devs are grown adults and if I need to step in to manage how they communicate, that’s grown adult issue.
            What is your experience with Slack and associated workflows>

      1. Sure, I’ll relive that trauma for what I think are obvious flaws with these types of “tools”.

        These are but a few reasons why I violently hate Slack and all the pointless management-wank apps that could be replaced overnight by a short re-introduction how A. to actually talk to people and B. how to write a bloody well structured mail.

        First of all it is a bloated, memory hogging, chat app that eats browsers. The stand alone app does not fair any better. It just reeks of poorly conceived framework upon framework coding by shovel garbage. So I found it impossible to run on the same machine I was doing actual work on.

        But my biggest problem with this trash is the fact that it breeds laziness and complacency in people that really is detrimental to structured proper communication. It being a overgrown chat app, people just plonk anything on there without having a think. Subsequently the random archive of poorly though out brain farts is now the go-to repository of any project. “Well, I posted it on slack” as a substitute for a well structured project archive is a true horror.

        Then there is the insane expectation that everybody should reply instantaneously to these mostly one-liners. You get a reply when I thought about it… Like with a normal mail correspondence.

        With bigger projects, the need for such a communication tool is just a sign that you have poorly managed and set up the workflow. If at any one point in any project you have to simultaneously be in contact with more than 2 people, then something else has gone wrong and you need a meeting.

        It truly is the communication paradigm of the most out of touch generation.

        1. Sounds like you had a bad case of poor implementation and mismanagement.

          I can’t disagree with the bloat. Slack is horrible when it comes to memory consumption. I run a very well spec’d laptop and it consumes more resources than anything else I have running.

          As for everything else, that’s not the fault of the app that’s a training issue. People are inheritly lazy because we want to expend the least amount of energy. As a manager or senior it is imperative that we train those around us to still use other methods of communication.

          If your company is using slack as a way to manage projects and they don’t see the problem with that, start looking for a new job because it won’t be long before they shutter the doors and close up shop.

          Regardless, slack, much like any tool, is susceptible to poor implementation and lack of understanding. I’m sorry you had a horrible time with it and hope you’ll give it another chance some day.

          1. No mate, no amount of “management” can hide the fact that Slack is a pointless tool.

            Do you even hear yourself… Here is a tool.. Just add management!!.. You posted that drivel TWICE!!

            Hell no!

        2. I would hate to work with you and your inability to adapt to changes. It’s truly pathetic that you’re so butthurt over a chat client. Your views and your attitude is toxic and your current team has my sympathies.

      1. I genuinely believe that it is not possible to have good security.

        Now, leaving your token in publicly available code is just negligence, but I think it’s an important point to make.

        All programs are exploitable, one way or another. We haven’t yet figured out how to automatically search for vulnerable sections in systems. From the electric level to the hardware level, to the code, to the user, as well as the conversion between each layer, there are near-endless possibilities for bugs and vulnerabilities to be introduced.

  2. Do not worry my little snowflake, we would never work together because I do not work with clowns or children and I’m not sure which one you are. Your pointless assumptions are as pathetic as your obvious shilling for this shitty non-technology.

    My current “teams” have no problems with me at all and hired me specifically as en external freelance communications specialist amongst other things.

    As long as my views and attitude are toxic to idiots like you, I’m really okay with that.. There is nothing to be gained from having some arrogant shill around who promotes change for the sake of change itself. Why not try some square wheels Einstein!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.