Disconnected custom bots and team security
Early on December 23, 2015 we disconnected certain custom bots created by users whose accounts had previously been deactivated. We did this to help ensure the security of the content for the Slack teams they had been enabled for.
A custom bot is an application that is a non-human user on your team. Slack team members can interact with it just like they do with each other. It requires a human user to set up like any other Slack team integration. When that human user is deactivated, the custom bot should likewise go away and no longer have access to the team and its content. We received a bug report that led us to believe that this was not happening in all cases as it should have. When we audited our systems for similar activity, we found that some custom bots on other teams remained enabled when they should not have been.
While we have no reason to believe that anyone took advantage of these circumstances to read messages which they would not otherwise have access to (or even that anyone was aware this was the case), it is impossible to rule it out definitively. Because we take security very seriously we have acted quickly to disable these bots and notify all Slack teams that may have been impacted.
How many teams were impacted?
Approximately 0.05% of Slack teams were identified as having a custom bot enabled that was associated with a deactivated user. Those custom bots have been disabled and affected teams have been notified.
How was incident uncovered?
We became aware of this issue through a user reported bug. Slack maintains an active bug bounty program and encourages reports here: https://slack.com/report-vulnerability
How long did you know about this issue before you notified affected teams?
We have been working diligently since becoming aware of the issue to determine which teams were likely impacted. Our goal has been to communicate as quickly as possible while ensuring that our facts are accurate. We received a user report late on Friday, December 18th that we began investigating. As a result of this investigation, we ran an audit of custom bot integrations across Slack that we completed late Monday evening, December 21, 2015. We notified affected teams within 36 hours of the audit being completed.
What kind of content was available to deactivated users?
Deactivated users may have had access to the content that the custom bot had access to. But it’s important to note that while access was technically possible, we have no reason to believe that anyone took advantage of these circumstances to read messages which they would not otherwise have access to (or even that anyone was aware this was the case). However, it is impossible to rule it out definitively.
What kind of policies does Slack have in place to monitor the security of integrations, including bots?
For Slack Apps in the App Directory, we have a customer experience team and a policy lead working together on the review process. As it is early, before an App is included in the directory, we test apps and vet their OAuth scopes. Our users also have the ability to report Apps from the App Directory if there are any problems or concerns.
For custom bots, we have addressed the issue that resulted in deactivated users having possible access through custom bots that were not properly disabled. For additional security, team administrators can change their team settings to limit which users can add custom bots to their team.