[Update: After hearing about this issue, Slack has revoked access to its API. The company issued this statement:
“This is not a Slack security issue but rather a case of an unlisted third-party app mishandling user data in violation of Slack’s API Terms of Service. Once we became aware of the issue, we took immediate action to revoke the app’s API access to protect customers and users.
Slack provides customers with tools to manage app installations and the scope of that data access, including the ability to restrict access to only vetted apps from the Slack Marketplace. Struct Chat was not listed in our Marketplace directory and did not go through our security and compliance review. We encourage all customers to review their installed apps, the permitted scopes of those apps, and use Slack’s security controls to manage third-party integrations.“]
Original article:
We’re at a point where we can’t trust any of the AItechnologies that we use in our daily lives (the same goes for the companies developing the technology). An AI service called Struct Chat can expose user data and Slack messages easily.
Struct Chat is an AI tool for Slack users. It’s one of the tools that can comb through your Slack messages, organize the messages, summarize threads, generate actual newsletters, and overall make life easier. This sounds like a useful tool for people who are inundated by Slack messages on a daily basis. For just $29.99/month, this service can make Slack less of a hassle to use.
However, the AI tool Struct Chat has a massive data security issue
The research team at Cybernews discovered a pretty large oversight on the company’s side that has put the privacy of its users at risk. At the time of writing this, this issue has not been resolved yet. We’re not sure when the company will address it.
Struct Chat uses what’s called an Apache Kafka Broker to move messages between services. The Kafka Broker moves a ton of data to and fro which makes it a prime target for people looking to steal that data. The thing is that this Kafka Broker is completely unprotected. Being an unprotected central hub for managing information, it’s a prime target for hackers.
The amount of data that the Broker Kafka broker leaks is pretty scary. According to the report, it moves data like tokens, I.D.s, email addresses, conversations (between other users and the AI), timestamps, internal team names, event data and type, links to pipelines, internal URLs, and CD/CI (Continuous Integration and Continuous Deployment) statuses.
If this unprotected Kafka Broker falls into the wrong hands, the data and private chats from Struct Chat users could be in jeopardy. This is ironic because the company claims that its ChatGPT-powered service has a privacy-first mentality. It’s a bit tough to believe that now, as cybersecurity isn’t the company’s priority.