By - Cybernews team find an AI-powered Slack tool is leaking data online
- GitLab commits and Slack Huddle conversations are being exposed
- The company was notified, but hasn’t reacted yet
Cybersecurity researchers have discovered an AI tool for Slack is leaking private user data, including chat messages and other communication.
The tool is called Struct Chat, and is designed to enhance productivity within Slack. It offers features such as organizing and summarizing threads, answering questions, and generating newsletters, and costs $29.95 per month.
In mid-October 2024, the Cybernews researchers found a “company-owned unprotected web service” streaming user data. The exposed instance was an Apache Kafka Broker, a real-time distributed message streaming platform.
Taking appropriate action
As the researchers explained, this platform acted as a central hub for moving data between different applications. As such, it handles large amounts of data and is a popular target.
“While observing the data stream for a brief period, we encountered examples of GitLab commits, Slack Huddle conversations, and data from other services. This enables threat actors to track and read messages and other events in real-time and extract sensitive company and personal information without any restraints,” the researchers said.
Here is the full list of exposed information:
- Tokens, IDs, first and last names
- Email addresses
- Conversations with other users and the bot AI, timestamps
- Internal team names and other general information
- Event data and type (what the user is doing, for example, updating Slack profile)
- Links to pipelines, internal URLs, CD/CI (Continuous Integration and Continuous Deployment) statuses
Allegedly, the company developing this tool, also called Struct Chat, was notified about the findings multiple times. However, as of January 27, the leak has not yet been addressed.
“In one hour, the unprotected instance transmitted data from over 1,000 unique users from 200 unique companies. This leak can easily be exploited to gather users’ personally identifiable information, such as full names, email addresses, chats, and other internal communications, various internal links and resources,” Cybernews researchers concluded, urging all users to be careful and “take appropriate action”.
Via Cybernews
