Slack’s non-public GitHub code repositories stolen over holidays

Slack suffered a safety incident over the vacations affecting a few of its non-public GitHub…

Slack’s non-public GitHub code repositories stolen over holidays

Slack’s non-public GitHub code repositories stolen over holidays

Slack suffered a safety incident over the vacations affecting a few of its non-public GitHub code repositories.

The immensely well-liked Salesforce-owned IM app is utilized by an estimated 18 million customers at workplaces and digital communities all over the world.

Buyer information is just not affected

BleepingComputer has come throughout a safety incident discover issued by Slack on December thirty first, 2022.

The incident entails risk actors having access to Slack’s externally hosted GitHub repositories through a “restricted” variety of Slack worker tokens that have been stolen.

Whereas a few of Slack’s non-public code repositories have been breached, Slack’s main codebase and buyer information stay unaffected, in accordance with the corporate.

The wording from the discover [1, 2] printed on New Yr’s eve is as follows:

“On December 29, 2022, we have been notified of suspicious exercise on our GitHub account. Upon investigation, we found {that a} restricted variety of Slack worker tokens have been stolen and misused to achieve entry to our externally hosted GitHub repository. Our investigation additionally revealed that the risk actor downloaded non-public code repositories on December 27. No downloaded repositories contained buyer information, means to entry buyer information, or Slack’s main codebase.”

Slack has since invalidated the stolen tokens and says it’s investigating “potential influence” to prospects.

Presently, there isn’t a indication that delicate areas of Slack’s surroundings, together with manufacturing, have been accessed. Out of warning, nonetheless, the corporate has rotated the related secrets and techniques.

“Primarily based on presently obtainable data, the unauthorized entry didn’t end result from a vulnerability inherent to Slack. We are going to proceed to research and monitor for additional publicity,” states Slack’s safety crew.

Safety replace hidden from search engines like google?

Mockingly, the safety replace speaks of Slack taking your “safety, privateness, and transparency very critically,” and but comes with some caveats.

For starters, this “information” merchandise does not seem on the corporate’s worldwide information weblog apart different articles, on the time of writing.

Moreover, opposite to Slack’s earlier weblog posts, this replace (when accessed in some areas, e.g. UK) is marked with ‘noindex’—an HTML function that’s used to exclude a webpage from search engine outcomes, thereby making it more durable to find the web page.

Slack security update marked with noindex SEO tag
Slack safety replace slapped with a ‘noindex’ search engine marketing tag (BleepingComputer)

BleepingComputer additional noticed that the “meta” tag containing the “noindex” attribute was itself positioned in direction of the underside inside the web page’s HTML code, in an elongated line that overflows with out breaking. This implies, these viewing the supply code (like us) would not readily get to see the buried tag except they actively searched (Ctrl+F) the supply code for it. Per conference, HTML head and meta tags are usually positioned on the high of a web page.

Line containing the noindex tag
Elongated line 149 containing the ‘noindex’ tag does not wrap (BleepingComputer)

We observed although, Google has already listed the U.S. advisory printed with out the tag.

Different strategies employed by companies seeking to restrict the visibility of uncanny information could embrace the usage of geo-fencing and tailoring the robots.txt file. Such strategies, together with the usage of ‘noindex’ in vital bulletins, are usually frowned upon. In some instances, although, ‘noindex’ attribute could also be erroneously utilized when the purpose was to attain producing ‘canonical’ hyperlinks.

Final 12 months, infosec reporter and editor Zack Whittaker called out LastPass and GoTo for using related ways with LastPass’ 2022 safety breach disclosure.

In August 2022, Slack reset consumer passwords after by chance exposing the password hashes in a separate incident. Unsurprisingly, that exact discover is additionally marked with a ‘noindex’ (each the U.S. and worldwide variations).

In 2019, Slack introduced it had reset passwords for about 1% of customers impacted by the 2015 information breach who moreover met a set standards.

The excellent news, almost about the latest safety replace is that no motion must be taken by prospects, for now.