This script search for Slack Webhooks token publicly exposed on Github.com
Slack webhooks are easy to search on Github since they have all the same format:
https://hooks.slack.com/services/TXXXXXXXX/BXXXXXXXX/xxxxxxxxxxxxxxxxxxxxxxxx
I've run this script on a cloud function every hour for 6 months and in total I've collected more than 6500 Slack Webhooks.
Afterward I've sent a message to all the #general channels warning that they have an exposed token on Github.
The message received by the people was the following:
In total I've sent ~6500 Slack messages and the youtube video that was explaining the experiment had ~3700 views, so we can assume that roughly 57% of webhooks was still valid.
* Supposing that only one person had watched this video per channel
Click on the image for play the video:
Most of the people appreciated that I've sent a message to them and warned them about their security problems.
You can read all the comments under the youtube video that I've sent to them:
https://www.youtube.com/watch?v=ybFTGeJICho&t=2s
The script instruments a chromium instance using puppeteer and use it to search github the prefix of the slack token.
Since the big number of results the script filter for a specific programming language and for a specific sorting option every time it run.
- install nodejs
- Open your terminal and cd in the repo folder
- Type
npm install - Edit
index.jsand insert your Github username and password (needed for perform the search) - Type
node index.js
Done! 🎉
Gruppio 2019