An unprotected AI service is streaming private Slack messages online

News
By
published

The tool's owners have been notified, but it hasn't addressed the flaw yet

A person at a laptop with a cybersecure lock symbol floating above it.
(Image credit: Shutterstock / laymanzoom)
  • Cybernews team find an AI-powered Slack tool is leaking data online
  • GitLab commits and Slack Huddle conversations are being exposed
  • The company was notified, but hasn't reacted yet

Cybersecurity researchers have discovered an AI tool for Slack is leaking private user data, including chat messages and other communication.

The tool is called Struct Chat, and is designed to enhance productivity within Slack. It offers features such as organizing and summarizing threads, answering questions, and generating newsletters, and costs $29.95 per month.

In mid-October 2024, the Cybernews researchers found a “company-owned unprotected web service” streaming user data. The exposed instance was an Apache Kafka Broker, a real-time distributed message streaming platform.

Taking appropriate action

As the researchers explained, this platform acted as a central hub for moving data between different applications. As such, it handles large amounts of data and is a popular target.

“While observing the data stream for a brief period, we encountered examples of GitLab commits, Slack Huddle conversations, and data from other services. This enables threat actors to track and read messages and other events in real-time and extract sensitive company and personal information without any restraints,” the researchers said.

Here is the full list of exposed information:

  • Tokens, IDs, first and last names
  • Email addresses
  • Conversations with other users and the bot AI, timestamps
  • Internal team names and other general information
  • Event data and type (what the user is doing, for example, updating Slack profile)
  • Links to pipelines, internal URLs, CD/CI (Continuous Integration and Continuous Deployment) statuses

Allegedly, the company developing this tool, also called Struct Chat, was notified about the findings multiple times. However, as of January 27, the leak has not yet been addressed.

“In one hour, the unprotected instance transmitted data from over 1,000 unique users from 200 unique companies. This leak can easily be exploited to gather users' personally identifiable information, such as full names, email addresses, chats, and other internal communications, various internal links and resources,” Cybernews researchers concluded, urging all users to be careful and “take appropriate action”.

Via Cybernews

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.