Slack’s GitHub Exposed – Another MFA Failure

Slack reported suspicious activity on January 9th, 2023 regarding a breach in it’s remotely stored GitHub account. Upon investigation, it was found that tokens of a few Slack employees were stolen, and used to gain access to remote git repositories. The threat actors also downloaded code from private repository. Slack also stated that the threat resulted from a third party vendor, and also assured its users that no customer data is at risk.

Previous Incidents

In March 2015, Slack shared that it had been hacked for over four days in Feb 2015. Additionally, In January 2021, it had a outage for several hours. In a previous blog , we have discussed a past security bug on Slack at December 2022 where passwords were stored in their Android apps in plain text.

Reason and Impact

The attackers were able to gain access due to a security flaw in Slack’s authentication system using Brute Force. Once they had access, they were able to steal the secret seeds (used to generate pseudo random tokens) associated with that organisation’s account and gain access to the private code repositories stored on GitHub. The fact that a brute force attack was successful indicates a security lapse from Slack.

The company claims that the threat actors did not get access to production environment, customer data or Slack resources. Additionally, Slack rotated the concerning tokens with the third vendors, and deployed additional security on their externally hosted GitHub.

About MFA Tokens

In their update what Slack is mentioning as token are MFA seeds or secret keys. These seeds or keys are shared secret between the (Slack’s) server and user’s MFA application. These seeds are used in generation of tokens which are then used to authenticate user in conjunction with passwords.

image credit – Twilio

Twilio has provided here a detailed explanation on how the MFA works with secret keys. Unfortunately Twilio’s Authy was breached and customer’s TOTP secret keys were leaked in the recent past.

Mitigation

Authentication system depending on abusable data like Passwords, Biometrics, or TOTP/HOTP Tokens, of public-keys are insecure by design. Adopting authentication solution which makes use of zero-knowledge factors are resilient to data leakage in case of breach.

PureID‘s Passwordless Authentication platform – PureAUTH eliminates the risk in case of total breach of the authentication parameters it uses to verify users.

Check out, how PureAUTH makes Slack Passwordless and secure from credential based attacks.

Connect with us to know how PureAUTH platform can help your enterprise be more secure and resilient.

Your 1st Step to #GoPasswordless

Everyone understands and acknowledges that passwords are evil and are the biggest risk for enterprises. We have also seen that augmenting passwords with different factors not only makes the authentication process complex and costly but also fails to provide any effective security. Clearly, enterprise must choose to #GoPasswordless. In this blog, we discuss how.

Securing your first line of Defence

VPNs are the first line of defence of any enterprise. Most of your workforce access your enterprise network through VPN. This also means that VPN sees most of the network based and credential stuffing attacks. Making VPN passwordless prevents credential stuffing and attacks arising from MFA bypass.

Modern VPNs you can readily make Passwrodless

Challenges

Enterprise users need time and a systematic approach to transition from password + MFA based authentication to passwordless authentication. Not all users can make this transition overnight, this becomes a hurdle in adopting a new type of authentication system.

Phased Approach

PureAUTH integrates with many leading and modern VPNs that support multiple authentication mechanisms simultaneously, over different interfaces. This allows enterprises to transition their users from passwords to passwordless authentication in a phased manner. 

  • Typically our customers opt to have an additional interface on VPN to support passwordless authentication with PureAUTH.
  • In the first phase they put 10% of their users on the passwordless authentication system allowing the rest of the workforce to continue with their usual method without any disruption. 
  • After testing the new system with initial users, next 80% users are put on the passwordless mode.
  • By this time enterprise is ready to move the remaining 10% of the users to passwordless system.
  • Once all users are transited, its safe to scrap password based authentication.
  • Once all enterprise users are comfortable to authenticate using passwordless method its time for other applications to #GoPasswordless.

In this video you can see how Cisco AnyConnect supports both password and passwordless authentication simultaneously.

Conclusion

PureAUTH makes it super easy to secure your VPN with passwordless authentication and help your workforce to make smooth transition from passwords to #GoPasswordless. Get in touch with us to check it out in your network.