Cruising GitHub For Slack Webhook Tokens

August 16, 2019 by Tom Nardi 19 Comments

GitHub is an incredibly powerful tool for sharing source code, and its value to the modern hacker can’t be overstated. But there’s at least one downside to effortlessly sharing your source: it’s now much easier for the whole world to find out when you screw up. Back in the day, if you accidentally left a username or password in a tarball hosted on your site, you could pull it down before anyone noticed. But push something like that up to GitHub, and you’ve got a problem on your hands.

For an example, look no farther than this tool that crawls GitHub for Slack webhooks written by [Michele Gruppioni]. Exploiting the fact that Slack webhook links have a predictable format, the tool searches repositories to find code that erroneously includes the authentication token. With the token in hand, an attacker now has the ability to send unsolicited messages into that channel.

But [Michele] restrained himself and didn’t Rickroll the over 6,500 Slack channels he had access to after searching GitHub with his tool. Instead, he sent them all a friendly message explaining their webhook tokens were available on GitHub, and gave them a link to where they could get more information about his project.

Most of the people who contacted him after the fact appreciated that he sent a gentle warning and not something unsavory. Still, we’d recommend caution to anyone looking to expose a vulnerability in this manner. While [Michele] had honorable intentions, it’s certainly not unheard of for an embarrassed administrator to blame the messenger.

When used properly, webhooks can be a very handy way of pushing data into your chat platform of choice. We’ve previously looked at a practical example of a weather station that pushes current conditions into a Discord channel. Just try not to accidentally commit your authentication token to the world’s largest database of open source projects, or you might receive more than you bargained for.

Making An Update Server For PythonAnywhere And GitHub

June 25, 2019 by Inderpreet Singh 2 Comments

Cloud based IDEs and development tools have grown over the years, though most have limitations in their free tiers and may not be fully compatible with other services such as GitHub. [Aadi Bajpai] loved using PythonAnywhere and to collaborate using GitHub, so he made a update server that automatically updates the running code once you make a push to Github

PythonAnywhere gives you access to a python shell over a web browser, and also lets you run a web app that can be accessed via a custom sub-domain. Even though it does not have direct integration with GitHub, you can drop to the bash shell to and get access to a git client.

For this hack, [Aadi Bajpai] utilizes the webhooks from GitHub that are triggered when a push event is detected. A flask server running on PythonAnywhere is written such that once triggered by the get POST request, it locally executes a git pull from the repository. There a bit more work that allows adding a bit of security sauce to the recipe but it is a pretty elegant solution and can be used for other cases as well.

Setting up alert notifications has been demonstrated to be an interesting task, though integrating Discord or Slack for notifications adds a little more bragging rights.

The Electric Imp Sniffs Out California Wildfires

November 20, 2018 by Tom Nardi 13 Comments

The wildfires in California are now officially the largest the state has ever seen. Over 50,000 people have been displaced from their homes, hundreds are missing, and the cost in property damage will surely be measured in the billions of dollars when all is said and done. With a disaster of this scale just the immediate effects are difficult to conceptualize, to say nothing of the collateral damage.

While not suggesting their situation is comparable to those who’ve lost their homes or families, Electric Imp CEO [Hugo Fiennes] has recently made a post on their blog calling attention to the air quality issues they’re seeing at their offices in Los Altos. To quantify the problem so that employees with respiratory issues would know the conditions before they came into work, they quickly hacked together a method for displaying particulate counts in their Slack server.

The key to the system is one of the laser particle sensors that we’re starting to see more of thanks to a fairly recent price drop on the technology. A small fan pulls air to be tested into the device, where a very sensitive optical sensor detects the light reflected by particles as they pass through the laser beam. The device reports not only how many particles are passing through it, but how large they are. The version of the sensor [Hugo] links to in his blog post includes an adapter board to make it easier to connect to your favorite microcontroller, but we’ve previously seen DIY builds which accomplish the same goal.

[Hugo] then goes on to provide firmware for the Electric Imp board that reads the current particulate counts from the sensor and creates a simple web page that can be viewed from anywhere in the world to see real-time conditions at the office. From there, this data can be plugged into a Slack webhook which will provide an instantaneous air quality reading anytime a user types “air” into the channel.

We’ve covered a number of air quality sensors over the years, and it doesn’t look like they’re going to become any less prevalent as time goes on. If anything, we’re seeing a trend towards networks of distributed pollution sensors so that citizens can collect their own data on their air they’re breathing.

[Thanks to DillonMCU for the tip.]