Slack Incoming Webhook URL
ID |
slack_webhook |
Severity |
low |
Vendor |
Slack |
Family |
Generic secret |
Description
Slack’s Incoming webhook URLs allows posting messages only to a specific channel configured by the approving member. Their identity is always tied to the application associated with the URLs and cannot be used as arbitrary users or on unapproved channels.
Security
The slack documentation for webhooks notes:
Keep it secret, keep it safe. Your webhook URL contains a secret. Don’t share it online, including via public version control repositories. Slack actively searches out and revokes leaked secrets.
On creation, the slack webhook is associated to a single channel where it can post messages. Apparently this limits improper usages to unintended messages in the target channel, with impact depending on the intent for messages in the channel.
Examples
slack_webhook = "https://hooks.slack.com/services/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";
Mitigation / Fix
-
Remove the URL from the source code or committed configuration file.
-
Follow your policy for handling leaked secrets, which typically require revoking the secret in the target system(s). Perhaps you need to delete the Slack app and create a new one, as the documentation does not say how to revoke or regenerate the webhook URL.
-
Check what usage was given to suspicious messages in the target slack channel during the window of exposure.