Hacker News new | ask | show | jobs
by staticassertion 1667 days ago
Lots of credentials end up getting shared over slack. If you own slack you probably own a few other systems.

Also, extortion. I'm always amazed at what people will say over Slack DMs, seemingly not realizing that it all is accessible by the company.
1 comments
neom 1667 days ago
Real question not trying to be cute, it's just been 4+ years since I've been inside a company actively using slack.

Is that (creds) considered safe/secure these days? Is it common place? I kinda figured slack might get to be a 1password on top of everything else, so it's interesting to hear it's happening.

link
staticassertion 1667 days ago
> Is that (creds) considered safe/secure these days?

No, definitely not. It's just super convenient and happens all the time at every organization.

The most recent Twitter breach involved a credential shared in a Slack channel. Security teams have a hard time monitoring Slack and the default settings are pretty bad (infinite session length, infinite message retention).

link
neom 1666 days ago
Should there be a chat bot for this? "Hey, I see you just shared a credential, I'll remind you in 5 minutes to delete it, if the message is not deleted I'll alert a member of the security team" kinda thing?
link
mnahkies 1666 days ago
Ideally shouldn't the credential be rolled even if you delete the message?

Unless slack hard deletes messages, but my guess would be soft deletion. Even then it's not really designed for sending sensitive credentials

link
mvanbaak 1666 days ago
of course they should be rolled.

Even if slack would delete the message, clients like bitlbee and wee-slack exist, and save the messages as soon as they came in, and slack will not be able to delete them. Bots get those messages as well.

Just because the chat service deletes messages from their backend does not mean the message is deleted at the clients.

link
staticassertion 1666 days ago
Slack has no concept of a hard delete. There's always a record, as far as I know.

So yes, you'll want to: 1. Delete the message 2. Revoke the token 3. Notify the user/ security operations team

link
staticassertion 1666 days ago
Absolutely. I know lots of companies have rolled their own. I'm unaware of a public one. I've been meaning to write one myself, maybe I'll do that this weekend.
link
neom 1666 days ago
Can I help you with it just for fun? I'm not an engineer but somehow I'd love to help you! :) I added you on linkedin.
link
staticassertion 1666 days ago
Sure, though I'm planning to write it in Rust so if you're not an engineer it may be a bit rough. Will reply on Linkedin though.
link