Slack's private GitHub code repositories stolen over holidays
source link: https://www.bleepingcomputer.com/news/security/slacks-private-github-code-repositories-stolen-over-holidays/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Slack suffered a security incident over the holidays affecting some of its private GitHub code repositories.
The immensely popular Salesforce-owned IM app is used by an estimated 18 million users at workplaces and digital communities around the world.
Customer data is not affected
BleepingComputer has come across a security incident notice issued by Slack on December 31st, 2022.
The incident involves threat actors gaining access to Slack's externally hosted GitHub repositories via a "limited" number of Slack employee tokens that were stolen.
While some of Slack's private code repositories were breached, Slack’s primary codebase and customer data remain unaffected, according to the company.
The wording from the notice [1, 2] published on New Year's eve is as follows:
"On December 29, 2022, we were notified of suspicious activity on our GitHub account. Upon investigation, we discovered that a limited number of Slack employee tokens were stolen and misused to gain access to our externally hosted GitHub repository. Our investigation also revealed that the threat actor downloaded private code repositories on December 27. No downloaded repositories contained customer data, means to access customer data, or Slack’s primary codebase."
Slack has since invalidated the stolen tokens and says it is investigating "potential impact" to customers.
At this time, there is no indication that sensitive areas of Slack's environment, including production, were accessed. Out of caution, however, the company has rotated the relevant secrets.
"Based on currently available information, the unauthorized access did not result from a vulnerability inherent to Slack. We will continue to investigate and monitor for further exposure," states Slack's security team.
Security update hidden from search engines?
Ironically, the security update speaks of Slack taking your "security, privacy, and transparency very seriously," and yet comes with some caveats.
For starters, this "news" item doesn't appear on the company's international news blog aside other articles, at the time of writing.
Additionally, contrary to Slack's earlier blog posts, this update (when accessed in some regions, e.g. UK) is marked with 'noindex'—an HTML feature that is used to exclude a webpage from search engine results, thereby making it harder to discover the page.
BleepingComputer further observed that the "meta" tag containing the "noindex" attribute was itself placed towards the bottom within the page's HTML code, in an elongated line that overflows without breaking. This means, those viewing the source code (like us) wouldn't readily get to see the buried tag unless they actively searched (Ctrl+F) the source code for it. Per convention, HTML head and meta tags are typically placed at the top of a page.
We noticed though, Google has already indexed the U.S. advisory published without the tag.
Other techniques employed by businesses looking to limit the visibility of uncanny news may include the use of geo-fencing and tailoring the robots.txt file. Such techniques, including the use of 'noindex' in important announcements, are typically frowned upon. In some cases, though, 'noindex' attribute may be erroneously applied when the aim was to achieve generating 'canonical' links.
Last year, infosec reporter and editor Zack Whittaker called out LastPass and GoTo for employing similar tactics with LastPass' 2022 security breach disclosure.
In August 2022, Slack reset user passwords after accidentally exposing the password hashes in a separate incident. Unsurprisingly, that particular notice is also marked with a 'noindex' (both the U.S. and international versions).
In 2019, Slack announced it had reset passwords for about 1% of users impacted by the 2015 data breach who additionally met a set criteria.
The good news, with regards to the most recent security update is that no action needs to be taken by customers, for now.
Recommend
-
104
Many Flex early adopters asked for it. The Symfony Flex server now supports private recipes repositories as announced during my keynote at SymfonyCon Cluj. Creating a repository for your private…
-
59
Cloud Source Repositories: more than just a private Git repository
-
53
Whether you are working on a JavaScript project or a Rails one with Webpack you might come to the point where you need to reference a private GitHub repository as your dependency in package.json . Here ar...
-
40
Unlimited private Git repositories for free Get free unlimited private repositories to organize your cod...
-
48
One reason why OpenShift is popular is that it comes with several functionality out-of-the-box on top of Kubernetes, for example image repositories and pipelines. However one comp...
-
14
New fro...
-
13
GitHub Discussions now available for private repositories In December 2020, we launched the public beta of GitHub Discussions, a collaborative c...
-
11
How to use GitHub Actions and private repositories to deploy a Hugo static siteFor quite some time I have wanted to build a site where I could share links to the stuff I read online. There must be already plenty of sites to solve this but non...
-
5
GitHub repositories compromised by stolen OAuth tokens Salesforce-owned PaaS vendor Heroku and
-
12
How to use different ssh deploy keys for multiple private github repositories with Go Modules Let's assume you are using Go Modules and have a go.mod
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK