tl;dr Introducing whoamislack, a tool to enumerate Slack Workspace Names from Slack Webhook URLs. This tool works even if the keys are no longer active.
One of the most commonly leaked secrets TruffleHog finds are Slack Webhook URLs. Learn more about how they can be used for phishing here. During recent research, our team discovered a Slack Webhook leaked in a Gist created by a Fortune 10 company’s employee. Our first question was: is this a Slack Webhook for the Fortune 10 firm? Or is this for a personal/community Slack workspace?
The output from TruffleHog, our secret scanning tool, looked like this:
Screenshot of TruffleHog Identifying a Slack Webhook in a GitHub Gist
TruffleHog enriches some secret data, such as providing AWS account numbers and ARNs for AWS keys. However, TruffleHog does not supply any additional details about the Slack account associated with the leaked webhook.
Attackers can misuse these webhooks to discover the account details, but what about security researchers that aren’t authorized to use the links?
Slack Webhook -> Workspace Name
Slack Webhook URIs are created in the following format:
T00000000 portion of the URL is that Slack Workspace’s team id.
After digging through Slack’s API documentation, we discovered the endpoint team.info. It turns out the Slack API lets any authenticated user enumerate the workspace name associated with any team id, even if the user isn’t a member of the workspace.
Screenshot of the team.info API Documentation
To test it out, we created the required authentication credentials under our own Slack organization (an OAuth User token with team:read privileges) and then ran a
cURL request with the team_id from the leaked webhook. Sure enough, it worked!
Fortunately for the engineer, it was just an old personal Slack workspace.
To make the Slack Workspace Name discovery process more efficient, we’re releasing a new tool that enumerates Slack workspace names from Slack webhook URLs.
Screenshot of WhoAmISlack README
The tool requires two steps:
Generate an OAuth User token with
team:readprivileges from any Slack account (follow these directions to generate one).
Run the python script with two arguments: the token from step 1 and the webhook URL.