Slack Access Token

ID

slack_token

Severity

high

Vendor

Slack

Family

API Token

Description

Slack Access Tokens allow controlled access to Slack API, tied to scopes and permissions granted to a third-party app integrating into Slack platform.

There are multiple types of Slack access tokens available, each suited for different purposes:

  • Bot tokens, which represent a bot associated with the app installed in a workspace. Tied to an app, and not tied to a user’s identity. Prefixed by xoxb-.

  • User tokens, which represent workspace members. These tokens can be used to act on behalf of the underlying user. User tokens represent the same access a user has to a workspace — the channels, conversations, users, reactions, etc. they can see. Write actions with user tokens are performed as if by the user themselves. Prefixed by xoxp-.

  • App-level tokens, representing the slack app. They give the ability to handle things that relate to the app as a whole.

There are other token types, like configuration and workspace tokens, besides legacy tokens.

Security

Any hardcoded Slack Access Token, regardless of its kind, is a potential secret reported by this detector.

Access tokens have different lifetime and revocation standards. In general, store user and bot user tokens with care and never place them in a public code repository or client-side code like Javascript.

It is recommended to rotate access tokens periodically. Slack will automatically revoke old tokens should they remain unused for long.

See Slack’s Best practices for security for further details.

Examples

# Bot Token in slack URL
SLACK_DSN=slack://xoxb-3318531909841-3308820897268-XFP6jF2lxsxkczt8nliFcc8X@default?channel=@mychannel

# Bot token In yaml configuration
slack-bot-token: xoxb-675660624544-675670263056-vCSNM7pKAGgcBKOwvW2Kmi2K

# App token, legacy
MY_SLACK_TOKEN = 'xapp-1-BM3V7LC51DA-1441525068281-86641a2582cd0903402ab523e5bcc53b8253098c31591e529b55b41974d2e82f'

Mitigation / Fix

  1. Remove the hardcoded access token from the source code or committed configuration file.

  2. Follow your policy for handling leaked secrets, which typically require revoking the secret in the target system(s). Slack provides an auth.revoke API method for token revocation.

  3. Check access logs (Slack’s Events API log) to ensure that the secret was not used by unintended actors during the compromised period.

  4. As an additional mitigation control, you might restrict usage to allowed IPs only when possible. Go to Restrict API Token Usage section in the application management console.

Reference

https://api.slack.com, https://api.slack.com/authentication/token-types