
Your Slack login details are on GitHub - pyprism
http://thenextweb.com/insider/2016/04/29/your-slack-login-details-are-on-gitbub/
======
RubyPinch
"a vulnerability in Slack bots" should really be "a vulnerability in Slack bot
developers"

This isn't a slack specific issue, and it seems silly that its getting the
attention that it is, just because of the word "slack"

~~~
AdamJacobMuller
Yes.

The only reason anyone includes slack in this is because its a shiny new thing
that is very popular right now (for good reason).

This is just another instance of the 'people committing credentials to public
repositories' problem that has been around since before github even existed.

While I fully support efforts to mitigate this (github could and should track
when people commit things like credentials, and warn them in some way) and
they should facilitate with companies like slack to push to slack (so slack
can warn/disable) lists of tokens this does not need to be some sensationalist
thing and does not indicate any kind of vulnerability in either slack or
github.

~~~
narrowrail
I believe AWS uses the Github API to determine when projects compromise their
(or their users) AWS credentials and takes steps to (i.e. revokes credentials)
mitigate disaster. Perhaps Slack needs to start doing the same for their bots?

~~~
AdamJacobMuller
It is not a bad idea. Amazon has more at stake because a compromised token is
going to lead to someone doing bad things with AWS and probably running up a
huge bill that Amazon will have to stick the customer with, annoying the
customer, or simply eat the cost.

------
mikestew
I flagged this because not only is the title click-baity, it's flat-out wrong:
I can assure you that my Slack login details are nowhere near GitHub.

