Security@wikimedia.org email:
I'm not very familiar with slack, so i don't know how sensitive this token is.
Anurag Jain <cs.anurag.jain@gmail.com>
3:07 PM (23 minutes ago)
to security
Hi Security Team,Kindly consider this under your bug bounty program
One of the github project is revealing the slack token for your slack channel.Token Revealed:
https://wikidataquality.slack.com/services/hooks/travis?token=6RzuL6LCKzoPupOKuNUhpCStProof that it is working
curl https://wikidataquality.slack.com/services/hooks/travis?token=6RzuL6LCKzoPupOKuNUhpCSt
Output: invalid_payloadWhich shows that credentials were accepted.
This gives unauthorized access to post on your slack channel
Recommendation
Revoke this token and use encrypted token in .travis.ymlKindly let me know in case any other details are required from my side.
Regards,
Anurag