Slack is a useful communication tool, but it may have revealed secret government information. 18F, the tech and digital subset of the General Services Administration, shared documents and spreadsheets through Slack, possibly exposing more than 100 Google Drive accounts for nearly half a year according to a new GSA Inspector General report.
Employees at 18F were apparently required to use Slack, but the fact is that it's not been approved by the IT team at the GSA, and neither was the OAuth2.0 authentication protocol 18F used. Not meeting that standard potentially put personal information and proprietary contractor data at risk of theft by hackers. The vulnerability may have begun back in October before being noticed in March by 18F. Even then, instead of reporting it within an hour like they were supposed to, it was another five days before GSA security officers were notified.
One irony about the situation is that 18F wasn't keeping its use of Slack a secret, publishing entire blog posts about using it. And Slack has pointed out some of its own security flaws as part of pushing out fixes. For now, the GSA is recommending a halt to Slack use until it can be tested and approved by the agency's IT standards. No actual data was found to have leaked, but it's another cautionary tale, and a reminder of how important education is when connecting tech startup people with the government. All the great ideas 18F comes up with won't be worth much if the data is not actually safe.
Update: Here's what Slack had to say about it.
The issue reported this morning by the GSA Office of the Inspector General does not represent a data breach of Slack, and customers should continue to feel confident about the privacy and security of the data they entrust to Slack.
Slack leverages the existing Google authentication framework when users integrate Google Drive with Slack. This integration allows users to more easily share documents with other team members in Slack. However, only team members who have access to the underlying document from the permissions that have been set within Google can access these documents from links shared in Slack. Sharing a document into Slack or integrating Google Drive with Slack does not alter any existing Google document or Google Drive access permissions. Those permissions are set and managed within Google. Slack is unable to modify, grant or extend any permissions that exist in Google Drive.
Slack administrators and team owners can control which team members can add integrations to their Slack team. Slack is highly configurable to meet the regulatory and compliance needs of a variety of different kinds of organizations, in both the public and private sectors.
