Overlooked Webhooks Exploit Endpoint Vulnerability in Slack Channels

BeVigil has detected leaked Slack webhooks in one of the applications being monitored. Exposed webhooks can be leveraged to access sensitive data and also propagate phishing messages.
Updated on
April 19, 2023
Published on
June 22, 2022
Read MINUTES
5
Subscribe to the latest industry news, threats and resources.
 
Category: Vulnerability Intelligence Vulnerability Class: Information Disclosure Region: Global Industry: Multiple

Executive Summary

THREAT IMPACT MITIGATION
  • An application was recently found vulnerable due to the leaked Slack webhooks in its assets.
  • Incoming webhooks are a simple way to post messages from third-party apps into Slack.
  • Exposed webhooks can be leveraged to access sensitive data and also propagate phishing messages.
  • Leaked Slack webhooks allow threat actors to send unauthorized and potentially malicious messages on Slack.
  • Invalidate exposed webhooks.
  • Restrict the webhooks from Slack channels.
  • Apply the least privilege policy on Slack webhooks.
  • Continuous monitoring of Slack OAuth applications.
CloudSEK’s flagship application scanning platform BeVigil has detected leaked Slack webhooks in one of the applications being monitored. A webhook is a lightweight API used for one-way communication between different applications. Incoming Slack webhooks allow their users to post messages from external applications into selected Slack Channels.   Creating an incoming webhook on Slack generates a unique URL through which a JSON payload with a text message is sent to the intended Slack Channel. The generated URL contains sensitive information which if leaked, could compromise the Slack Channel and the information shared through them. [caption id="attachment_19665" align="aligncenter" width="1247"]Screenshot of BeVigil dashboard showing the leaked Slack webhooks Screenshot of BeVigil dashboard showing the leaked Slack webhooks[/caption]  

Technical Analysis

  • CloudSEK’s Customer Threat Research team analyzed the findings from BeVigil and discovered multiple Slack webhooks in the said application.
  • Incoming webhooks are a simple way to post messages from third-party apps into Slack. Threat actors can leverage these to launch phishing attacks on users of the Slack application.

Why are Slack Webhooks Overlooked?

Slack webhooks are often considered low-risk integrations because of the following reasons:
  • Webhooks are made for a targeted Slack Channel, thus reducing the scope of the breach.
  • The generated URLs are unique and confidential.
  • Webhooks only deliver data, and thus cannot be used to extract sensitive information on its own.
  • Slack actively searches for and revokes leaked URLs.

How Threat Actors Exploit Slack Webhooks?

Slack webhooks should not be overlooked while securing the application endpoints as they can be exploited in the following ways:
  • A plethora of Slack Webhook URLs can be found across open sources on the internet alone, with a majority of them containing sensitive and uncensored webhook values.
  • Exposed incoming webhooks allow threat actors to post unauthorized and potentially malicious messages into Slack channels.
  • A simple POST request can be used by threat actors to send out malicious messages by using the curl command given below.
curl -X POST -H "Content-type: application/json" --data '{"text": "Hello, world."} https://webhook
Curl command used to send out malicious messages
  • It is also possible to add a channel override, which will remove the URL’s restriction to the target Channel. This can be achieved by adding the “channel” key to the JSON payload. Further, if a webhook created by an administrator is breached, it can be used to access all administrative channels.
  • Slack users may be tricked into installing malicious applications designed by threat actors, which can breach Slack Channels for sensitive information, leading to a compromise of confidential files and messages sent through the platform.
  • The threat can be further escalated by formatting the message using images, markdowns, and hyperlinks to make it look more legitimate. This helps in achieving 100% phishing success per message since every single message can be read by multiple Slack users.

Information from the Vulnerable Endpoint

  • Further investigation of the application's Slack webhook endpoint revealed that if a request is sent to the vulnerable endpoint, an "invalid_payload" error is generated, indicating that the webhook is still active.
[caption id="attachment_19666" align="aligncenter" width="699"]“Invalid_payload” error message encountered on the vulnerable endpoint “Invalid_payload” error message encountered on the vulnerable endpoint[/caption]  
  • Further testing on this endpoint has been halted as it might impact the current slack channels being used by the webhook.

Information from Cybercrime Forums

  • While triaging through multiple dark and surface web cybercrime forums/ marketplaces, CloudSEK’s Threat Research team discovered a group of threat actors discussing multiple ways to exploit such Slack webhooks.
[caption id="attachment_19667" align="aligncenter" width="1584"]Screenshot of scripts posted by a threat actor to elevate Slack webhook bug Screenshot of scripts posted by a threat actor to elevate Slack webhook bug[/caption]  
  • Multiple threat actors were seen propagating scripts that can lead to further exploitation of this vulnerability by monitoring logs and credentials.
[caption id="attachment_19668" align="aligncenter" width="1220"]Script shared by a threat actor on GitHub to exploit webhooks by using credentials Script shared by a threat actor on GitHub to exploit webhooks by using credentials[/caption]  

Similar Incident

  • On 6 June 2021, 780 GB of sensitive data including the source code to a variety of tools and services was breached from Electronic Arts (EA), an American video gaming company.
  • In this attack, the attackers bought stolen cookies for EA on an underground forum, which were used to infiltrate the company’s Slack Channel via vulnerable Slack webhooks.
  • The attackers posing as EA employees on Slack then tricked the IT Administrator into providing them with network access, after which two more attack vectors were used to exploit the existing technical vulnerabilities.

Impact & Mitigation

Impact Mitigation
  • Leaked Slack webhooks allow threat actors to send unauthorized and potentially malicious messages on Slack.
  • Threat actors could launch chain attacks and trick users into downloading malicious applications which can be used for gaining access to confidential files and messages on slack channels.
  • Misconfigured webhooks might allow messages to be sent on any channel in Slack, thereby opening the possibility of phishing attacks.
  • Revoke all the leaked vulnerable webhooks.
  • Modify the app code to remove usage of any such webhooks.
  • Apply the least privilege policy on Slack webhooks.
  • Continuous monitoring of Slack OAuth applications.
  • Slack doesn’t have an internal anti-phishing mechanism, so the users should be cautious of any external users or open webhooks in their workspace.

References

 

Appendix

[caption id="attachment_19669" align="aligncenter" width="933"]Slack API guide to setting up Slack webhooks Slack API guide to setting up Slack webhooks[/caption]  

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations