Originally published at: Overlooked Webhooks Exploit Endpoint Vulnerability in Slack Channels - CloudSEK
CloudSEK’s flagship application scanning platform BeVigil has detected leaked Slack webhooks in one of the applications being monitored. A webhook is a lightweight API used for one-way communication between different applications. Incoming Slack webhooks allow their users to post messages from external applications into selected Slack Channels.
Creating an incoming webhook on Slack generates a unique URL through which a JSON payload with a text message is sent to the intended Slack Channel. The generated URL contains sensitive information which if leaked, could compromise the Slack Channel and the information shared through them.
- CloudSEK’s Customer Threat Research team analyzed the findings from BeVigil and discovered multiple Slack webhooks in the said application.
- Incoming webhooks are a simple way to post messages from third-party apps into Slack. Threat actors can leverage these to launch phishing attacks on users of the Slack application.
Slack webhooks are often considered low-risk integrations because of the following reasons:
- Webhooks are made for a targeted Slack Channel, thus reducing the scope of the breach.
- The generated URLs are unique and confidential.
- Webhooks only deliver data, and thus cannot be used to extract sensitive information on its own.
- Slack actively searches for and revokes leaked URLs.
Slack webhooks should not be overlooked while securing the application endpoints as they can be exploited in the following ways:
- A plethora of Slack Webhook URLs can be found across open sources on the internet alone, with a majority of them containing sensitive and uncensored webhook values.
- Exposed incoming webhooks allow threat actors to post unauthorized and potentially malicious messages into Slack channels.
- A simple POST request can be used by threat actors to send out malicious messages by using the curl command given below.
Curl command used to send out malicious messages
- It is also possible to add a channel override, which will remove the URL’s restriction to the target Channel. This can be achieved by adding the “channel” key to the JSON payload. Further, if a webhook created by an administrator is breached, it can be used to access all administrative channels.
- Slack users may be tricked into installing malicious applications designed by threat actors, which can breach Slack Channels for sensitive information, leading to a compromise of confidential files and messages sent through the platform.
- The threat can be further escalated by formatting the message using images, markdowns, and hyperlinks to make it look more legitimate. This helps in achieving 100% phishing success per message since every single message can be read by multiple Slack users.
- Further investigation of the application’s Slack webhook endpoint revealed that if a request is sent to the vulnerable endpoint, an “invalid_payload” error is generated, indicating that the webhook is still active.
- Further testing on this endpoint has been halted as it might impact the current slack channels being used by the webhook.
- While triaging through multiple dark and surface web cybercrime forums/ marketplaces, CloudSEK’s Threat Research team discovered a group of threat actors discussing multiple ways to exploit such Slack webhooks.
- Multiple threat actors were seen propagating scripts that can lead to further exploitation of this vulnerability by monitoring logs and credentials.
- On 6 June 2021, 780 GB of sensitive data including the source code to a variety of tools and services was breached from Electronic Arts (EA), an American video gaming company.
- In this attack, the attackers bought stolen cookies for EA on an underground forum, which were used to infiltrate the company’s Slack Channel via vulnerable Slack webhooks.
- The attackers posing as EA employees on Slack then tricked the IT Administrator into providing them with network access, after which two more attack vectors were used to exploit the existing technical vulnerabilities.
- Slack phishing attacks using webhooks | AT&T Alien Labs
- Propagating phishing via Slack webhooks | by Amir Shaked | PerimeterX | Medium
- Sending messages using Incoming Webhooks
- Hacked via Slack: How to Avoid an EA-style Breach
- *Intelligence source and information reliability – Wikipedia
- #Traffic Light Protocol – Wikipedia