Slack API/Signing Secret

ID

slack_secret

Severity

high

Vendor

Slack

Family

Generic secret

Description

A Slack API secret is similar to a password for authentication.

Note: Please do not confuse the API secret with API tokens, spotted by the slack-token detector.

Another secret in Slack is the signing secret, a unique string created by Slack for authenticating requests originated from Slack. Slack adds a signature (technically, an HMAC-SHA256 keyed hash) in the X-Slack-Signature header. See "Verifying requests from Slack" for full details.

Security

Any hardcoded API secret allows running unintended actions in Slack at the app level.

Leaking the signing secret can lead to accepting requests from an attacker as legit. As the verification of the signature from Slack needs to compute the HMAC with the signing secret on the request payload, the signing secret is sometimes hard-coded into verification code. When leaked, attackers might use the secret to compute signatures that could be accepted by the receiving client as authentic.

Examples

  slack:
    slack-id: 0123456789012.0123456789012
    slack-secret: f98legefqs3kyqub641xagvpgb00h02s
    slack-signing-secret: lv7vouc37g1q5wqum94nmy864vquntv2

Mitigation / Fix

  1. Remove the secret from the source code or committed configuration file.

  2. Follow your policy for handling leaked secrets, which typically require revoking the secret in the target system(s). Either regenerate the API key or regenerate the signing secret in slack app using the admin panel.

  3. Check access logs to ensure that the secret was not used by unintended actors during the compromised period. For a leaked signing secret, that means to check that your client application had not accepted as valid potentially forged requests.

  4. For additional security, client IPs can be whitelisted.

Reference

https://api.slack.com/authentication/verifying-requests-from-slack