Slack’s GitHub Exposed – Another MFA Failure

Slack reported suspicious activity on January 9th, 2023 regarding a breach in it’s remotely stored GitHub account. Upon investigation, it was found that tokens of a few Slack employees were stolen, and used to gain access to remote git repositories. The threat actors also downloaded code from private repository. Slack also stated that the threat resulted from a third party vendor, and also assured its users that no customer data is at risk.

Previous Incidents

In March 2015, Slack shared that it had been hacked for over four days in Feb 2015. Additionally, In January 2021, it had a outage for several hours. In a previous blog , we have discussed a past security bug on Slack at December 2022 where passwords were stored in their Android apps in plain text.

Reason and Impact

The attackers were able to gain access due to a security flaw in Slack’s authentication system using Brute Force. Once they had access, they were able to steal the secret seeds (used to generate pseudo random tokens) associated with that organisation’s account and gain access to the private code repositories stored on GitHub. The fact that a brute force attack was successful indicates a security lapse from Slack.

The company claims that the threat actors did not get access to production environment, customer data or Slack resources. Additionally, Slack rotated the concerning tokens with the third vendors, and deployed additional security on their externally hosted GitHub.

About MFA Tokens

In their update what Slack is mentioning as token are MFA seeds or secret keys. These seeds or keys are shared secret between the (Slack’s) server and user’s MFA application. These seeds are used in generation of tokens which are then used to authenticate user in conjunction with passwords.

image credit – Twilio

Twilio has provided here a detailed explanation on how the MFA works with secret keys. Unfortunately Twilio’s Authy was breached and customer’s TOTP secret keys were leaked in the recent past.

Mitigation

Authentication system depending on abusable data like Passwords, Biometrics, or TOTP/HOTP Tokens, of public-keys are insecure by design. Adopting authentication solution which makes use of zero-knowledge factors are resilient to data leakage in case of breach.

PureID‘s Passwordless Authentication platform – PureAUTH eliminates the risk in case of total breach of the authentication parameters it uses to verify users.

Check out, how PureAUTH makes Slack Passwordless and secure from credential based attacks.

Connect with us to know how PureAUTH platform can help your enterprise be more secure and resilient.

Passwords are like Plastic; Lets get rid of ’em

Passwords are at the foundation of security and access control ever since humans felt the need of securing resources and access to it. Passwords have been used and abused since millennium and the best documented example of this is “Open Sesame”. 

The surprising fact is even after millennium passwords are ubiquitous, and mean anything but security. The World Password Day is coming up on 7th of May 2020,  let us see what we have learned in the last decade about passwords.

Passwords are Pain

Passwords are pain for an enterprise, right from its users to administrators.

Pain to Manage

A 2016 survey conducted by Intel Security concluded that an average person uses 27 discrete online services. For security reasons it is a must to have different passwords for enterprise applications, social networking sites and online banking but at the same time, very painful to remember all of them. People often reuse their enterprise passwords at external sites and vice versa.

Pain to Comply & Govern

Compliance & Governance mandate passwords to be complex and securely stored. Time and again we have seen from the incidents at  Robinhood, GitHub, Facebook, Instagram and Citrix that even world class enterprises fail to comply. Another big governance failure is to restrict unwarranted sharing of credentials and OTP within an organisation.

Enterprise measures for compliance & governance are defeated due to users’ and administrator’s common but insecure practices.

Passwords in plain text
Passwords in plain text

Pain to Secure

Enterprises spend a significant sum to secure passwords by layering them with additional factors. This increases more things to manage and support but still leaves passwords insecure.

Enterprises are insecure as long as they have passwords in their system

Credential sharing
Credential sharing

Passwords are Risk

2018  Verizon Data Breach Investigation Report stated that 81% of the breaches that year involved Passwords. Phishing, credential stuffing and stealing passwords from processes or dumps being the top vectors.

2019  Verizon Data Breach Investigation Report stated Stolen Credentials as a top most risk for an enterprise, along with web-application vulnerabilities and ransomware.

2020 First quarter is over and things have not changed much. So far we have seen several security incidents involving Passwords.

Cognizant breached by Maze ransomware
SFO Airport breached with stolen credentials
Compromised Zoom credentials swapped in underground

Phishing
Phishing

Passwords are Outdated

The universal availability of mobile devices and newer ways  of authentication it offers, has inspired the world to think Beyond Passwords.

Gartner suggests “Eliminate centrally managed passwords for better security, fewer breaches, lower support costs and enhanced user experience.” in its report Passwordless Approach to improve security

Conclusion

This new decade is a time to go passwordless.