There seems to be quite the disturbing trend in development, in general. That of publishing encryption credentials, or the secret keys in an asymmetric encryption scheme, out in the open with their source code on development repositories such as Github.

Secret Keys

Access tokens and secret keys might get accidentally published by lazy developers

Specifically, we’re seeing a rise in lazy implementation of basic security programming in terms of those using the Slack API to build automated chat bots for Slack. The tokens needed to authenticate users, personal tokens at that, are sometimes being included in the clear inside the code, for everyone to easily read. So if you wanted to download a simple method of manually automating tasks, then you may accidentally get access to the individuals personal repository of files and communications. You’d also potentially get access to the company they work for, which is likely far more detrimental and dangerous.

The token that’s being generated by these chat bots can allow access to a wealth of data, but sometimes that data is especially telling. A result of having the full authorization of the secret key is that in the absence of a system that monitors the use of secret keys from different locations or platforms, you’ll never actually know someone is eavesdropping or going through your or your company’s Slack data. And people do send important and sensitive data via Slack, because it’s assumed to be secure. And it is if used properly.

The lesson from this is to just be careful in how you develop your Slack API-based project. Use environment variables as intended to generate those access tokens and keep those tokens separate at all costs. Otherwise, you could be the reason behind the next big great leak.