[staticassertion]

> Is that (creds) considered safe/secure these days?

No, definitely not. It's just super convenient and happens all the time at every organization.

The most recent Twitter breach involved a credential shared in a Slack channel. Security teams have a hard time monitoring Slack and the default settings are pretty bad (infinite session length, infinite message retention).

[neom]

Should there be a chat bot for this? "Hey, I see you just shared a credential, I'll remind you in 5 minutes to delete it, if the message is not deleted I'll alert a member of the security team" kinda thing?

[mnahkies]

Ideally shouldn't the credential be rolled even if you delete the message?

Unless slack hard deletes messages, but my guess would be soft deletion. Even then it's not really designed for sending sensitive credentials

[mvanbaak]

of course they should be rolled.

Even if slack would delete the message, clients like bitlbee and wee-slack exist, and save the messages as soon as they came in, and slack will not be able to delete them. Bots get those messages as well.

Just because the chat service deletes messages from their backend does not mean the message is deleted at the clients.

[staticassertion]

Slack has no concept of a hard delete. There's always a record, as far as I know.

So yes, you'll want to: 1. Delete the message 2. Revoke the token 3. Notify the user/ security operations team

[staticassertion]

Absolutely. I know lots of companies have rolled their own. I'm unaware of a public one. I've been meaning to write one myself, maybe I'll do that this weekend.

[neom]

Can I help you with it just for fun? I'm not an engineer but somehow I'd love to help you! :) I added you on linkedin.

[staticassertion]

Sure, though I'm planning to write it in Rust so if you're not an engineer it may be a bit rough. Will reply on Linkedin though.