Page MenuHomePhabricator

Wikidata slack channel token in public config file
Closed, ResolvedPublic

Description email:

I'm not very familiar with slack, so i don't know how sensitive this token is.

Anurag Jain <>

3:07 PM (23 minutes ago)

to security
Hi Security Team,

Kindly consider this under your bug bounty program
One of the github project is revealing the slack token for your slack channel.

Vulnerable URL

Token Revealed:

Proof that it is working
Output: invalid_payload

Which shows that credentials were accepted.

This gives unauthorized access to post on your slack channel

Revoke this token and use encrypted token in .travis.yml

Kindly let me know in case any other details are required from my side.


Event Timeline

Looks like this is for travis CI's integration w/ slack:

Within the docs, they recommend encrypting the token (which it doesn't appear to be within .travis.yml, but I can't say for sure) if it's stored within a public repo, as it is here. Of course placing it within a private config repo should also work.

(and of course, with public exposure, the token value should change, if possible)

it can be stored in .travis.yml as an encrypted value, it would look like this:

      - secure: "sdfusdhfsdofguhdfgubdsifgudfbgs3453durghssecurestringidsuag34522irueg="
    on_success: always

That very codebase has been archived according to, however the information also exists in other active (?) ones:

$:acko\> grep --include="*.yml" -r slack .
./WikibaseQualityExternalValidation/.travis.yml:  slack: wikidataquality:6RzuL6LCKzoPupOKuNUhpCSt
./WikibaseQuality/.travis.yml:  slack: wikidataquality:6RzuL6LCKzoPupOKuNUhpCSt
./WikibaseQualityConstraints/.travis.yml:  slack: wikidataquality:6RzuL6LCKzoPupOKuNUhpCSt

There's a GitHub bot in Slack that shows CI results for PRs, you don't need to touch the Travis config for notifications at all.

This must be left over from when the group of students originally developed the extension.
We don't use slack at WMDE, so we can probably just remove the token now.

Patch for WikibaseQualityConstraints

Can we also remove it from archived extensions? I guess we can't write to those?

Yeah we can just remove the integration with Slack. It's a leftover from the students.

Addshore raised the priority of this task from Low to Needs Triage.
Addshore triaged this task as Low priority.
Bawolff changed the visibility from "Custom Policy" to "Public (No Login Required)".Jan 3 2019, 2:36 PM