In response to the report, Slack said it’s proactively scraping GitHub for publicly exposed webhooks and invalidating them. Slack itself can also implement changes to prevent this occurring, such as implementing least privilege for incoming webhooks, improved awareness of secrets handling and application verification. Slack Audit Log data can be implemented into a security analytics platform to detect suspicious actions. The second is detecting suspicious OAuth applications where whitelisting may not be an option. Admins have the option to manage their users’ Slack applications and can set up application whitelisting and application approval to review and approve applications before installation. The first and most simple is application whitelisting. Outgoing Webhooks are a legacy method of sending notifications to an app about two specific activities: A message was posted in a particular public Slack channel. There’s no known use of this method to steal Slack data in the wild as yet, but there are ways for Slack administrators to mitigate a possible attack. For example, the depth of access depends on requester access and the scope of that the app initially requests.
#SLACK INCOMING WEBHOOKS EXAMPLE INSTALL#
The process involves discovering leaked webhooks creating a Slack app and allow public installation of the app sending malicious messages to discovered hooks tracking workspaces that install the malicious app and using the app to exfiltrate data from workspaces that install it. Using those public URLs, Slack webhook phishing with Slack Apps becomes possible.
#SLACK INCOMING WEBHOOKS EXAMPLE CODE#
Although webhook URLs are meant to be secret and secure, the researchers found 130,989 public code results containing Slack webhook URLs, with the majority containing the unique webhook value.
In some cases that can also override channel posting provisions, but that’s not where the main vulnerability lies.Įnter GitHub.
The problem starts with the channel override functionality that makes it easy to override the previously specified webhook target channel by adding a “channel” key to the JSON payload. Although pitched as a secure service, the security researchers found that is “not entirely true.”
Webhooks open the door to post data on Slack. Designed as a simple way to post messages from apps into Slack, Incoming Webhooks offers a unique URL in which an app can send a JSON payload with message text and some options. The discovery, announced today, involves exploiting Slack Incoming Webhooks. Security researchers at AT&T Alien Labs have uncovered a vulnerability in Slack Inc.
0 kommentar(er)
