Convopage : @bcrypt : fun way to monitor someone's IP address: 1. create a paid slack workspace 2. get them to join your slack 3. now you can see their IP address and device type in Slack's access logs as long as they're logged in and have the Slack webpage/app open

Convopage

See the entire conversation

fun way to monitor someone's IP address: 1. create a paid slack workspace 2. get them to join your slack 3. now you can see their IP address and device type in Slack's access logs as long as they're logged in and have the Slack webpage/app open

81 replies and sub-replies as of Mar 23 2018

yan@bcrypt

by “open” i mean the app is running, even in the background. so it works even if someone logged into your slack and hasn’t looked at it in a while

Adam Rosenberg@spot3d

Does that work with "Guest Access" to a paid workspace or do they have to be a paid user as well?

yan@bcrypt

works with anyone in the workspace

Adrienne Porter Felt@__apf__

Ummmm guess it's time to close all my pinned slacks

yan@bcrypt

lol yup. i saw my IP address being logged several times a day for some that i hadn’t opened in weeks

D̒͂̕ᵈăᵃn̕ᶰ Ť̾̾̓͐͒͠ᵗe͗̑́̋̂́͡ᵉn̅ᶰtᵗl̀̓͘ᶫe̓̒̂̚ᵉrʳ@Viss

... show me where this is :D i must investigate this :D

D̒͂̕ᵈăᵃn̕ᶰ Ť̾̾̓͐͒͠ᵗe͗̑́̋̂́͡ᵉn̅ᶰtᵗl̀̓͘ᶫe̓̒̂̚ᵉrʳ@Viss

oh can you only get this out of the api?

yan@bcrypt

foobar.slack.com/admin/logs if you're an admin foobar.slack.com/account/logs if you're a regular user and just want to see your own access log

D̒͂̕ᵈăᵃn̕ᶰ Ť̾̾̓͐͒͠ᵗe͗̑́̋̂́͡ᵉn̅ᶰtᵗl̀̓͘ᶫe̓̒̂̚ᵉrʳ@Viss

hoo hoo! excellent thanks :D

Robert Pritchard@TheCyberSecExp

I'm embarrassed to admit how many goes it took me to realise I had to replace foobar with my own slack workspace name. I blame this mysterious Dutch brown beer.

Tim Pastoor@timpastoor

You could also setup an IRC or TeamSpeak server. They won't give you device details, but the software can be used for free, so it's something ...

Tim Pastoor@timpastoor

*IRC channel

yan@bcrypt

the benefit of slack is that you can convince more non-technical users to sign up for it vs IRC

Tim Pastoor@timpastoor

If collecting IP address and device details are the main goal, along with user-friendliness, wouldn't setting up a website with some logging suffice? I would say that's even more user-friendly. All they need to do is *click teh link*; no sign-up required.

yan@bcrypt

but slack gives your their IP whenever it changes, no user interaction needed

Tim Pastoor@timpastoor

Ah, I see now. How nice of them . . .

Jonathan Martinez 🤖@jonathanenlared

I blame @StackOverflow

Kathy Anderson ✨@AndersonBizSupp

Thanks! I look at log, signed off, but didn't think to change settings while there (account worked but not admin). Is it possible to turn it off?

yan@bcrypt

i don't think you can turn off ip logging

Vadim Toptunov 🛡️@PenTesting

party pooper ;)

₳ᴆᴀᴍ@nixhaxor

Is proxychains an option? I'm slack-illiterate.

D K@kln_nurv

Off topic but Twitter warned me this tweet contains offensive content 🤷🤦🤣 twitter.com/nixhaxor/statu…

₳ᴆᴀᴍ@nixhaxor

Is proxychains an option? I'm slack-illiterate.

₳ᴆᴀᴍ@nixhaxor

lol that's funny

Johnathan Corgan@jmcorgan

Slack works fine over Tor 😏

Jean Lucas ⚡️@aleattorium

honestly, do YOU use slack with Tor?

Johnathan Corgan@jmcorgan

Depends on the slack...but yeah.

System of Systems@sysOFsys

Yup. Infosec sucks like that sometimes, but if you’re going to be secure then that’s what you gotta do.

GoingToZero@Going_To_Zero

Ziah@isaiahsarju

Does slack have any P2P elements? I remember when Skype could (may still) disclose IP addresses of those you're chatting with. You can use your local firewall like @littlesnitch to ascertain probable IP addresses

Russell Cohen@russellrcohen

Semi related: slack will show your slack subdomain in the referrer if you click a link to a 3rd party from within slack

yan@bcrypt

you can turn it off in this admin setting

Jan Schaumann@jschauma

Ok, but isn’t that as shocking as “slack can see all your messages” and “slack admins can see your ‘private’ messages”? Or: Mozilla knows where you are, b/c Firefox calls home every 30min. (Chrome/Google, too, of course.)

yan@bcrypt

it's more surprising because (in my experience) people aren't aware that they're sending IP several times an hour to whoever is admining a slack (lots of randos) versus just employees of Slack

yan@bcrypt

in addition to the Slack run by my employer, i've been invited to Slacks admin'ed by random people for conferences, hackerspaces, living groups, art projects, etc.

Jan Schaumann@jschauma

Yeah, I suppose one issue is the muddling of an enterprise solution (where this is expected) with the random community setup.

purplestuff@purplestuff_ctf

This is the daily reminder that the cloud is just someone else’s computer.

D K@kln_nurv

Somebody else's dumpster fire, as 2018 is turning out. Though the more we know,the better in the long run. I hope a lot more comes out and some privacy-abusing companies go down hard

System of Systems@sysOFsys

You don’t join other slacks. Simple as that. Infosec sucks like that sometimes.

Conrad Braam@zaphodikus

Is. Slack the only app that harvests ip addresses? So no other apps do this?

PiotrSec@PiotrSec

Yeah exactly, why admins would need that at the end? Really thanks a lot for sharing

Asa Dotzler@asadotzler

Mozilla does not keep any records about your location.

railmeat@railmeat

There is no privacy.

Andrew S👻@bn2b

wait is “slack admins can see your ‘private’ messages” real or an example

yan@bcrypt

it’s real but you have to submit a request for access

Andrew S👻@bn2b

To Slack or the user?

yan@bcrypt

to Slack

Andrew S👻@bn2b

thanks

Chris Tierney 🐧@stunt_penguin

yeah knowing someone's IP is as plain as knowing what their phone number is when they call you

Chris Tierney 🐧@stunt_penguin

the logs of every website have the IPs of every user, and the server admin can see them

yan@bcrypt

slack gives you more persistent access since people usually close tabs but not slack. i was able to get random people’s IP addresses several times an hour months after they had last looked at my slack.

yan@bcrypt

which meant i could see when they were on home wifi and when/where they were traveling over the course of months without any user interaction :)

yan@bcrypt

so this is actually more like running an IRC server than running a website

Justin Maddox@_JMaddox

Mainframe - The web3 communications layer

Mainframe provides a decentralized network for surveillance-resistant and censorship-resistant message routing. Just as blockchains introduced trusted networks to replace third parties in finance, Mainframe is replacing siloed communications with a trusted peer-to-peer network.

mainframe.com

Greg Otto@gregotto

oh ffs

Dagan Ocaña@DaganKun

Wait a sec, people willingly join a slack servers?

Sera Peterson@SeraFilson

Anyone with a rinky dink website can see the IP address of their visitor in the back end ops, no? So use a VPN.

𝚗𝚒𝚋𝚋𝚕𝚎𝚛@nblr

I had a similar issue where a supposed “IT security professional” from a swiss bank who shall remain unnamed was “afraid to give me his ip address” to assist me in debugging why he couldn’t register to our sip sbc. Looked it up in [some other chat application]… ah well… 🤷‍♂️

Oliver@orvtech

So I assume that if you have the client installed on your phone it continually updates your IP

yan@bcrypt

yup :)

Oliver@orvtech

s/:\)/:\(/g Everything is terrible then

purplestuff@purplestuff_ctf

it’s all websockets if you have burp open while slacking it will open your eyes to how often it is pinging back.

Trauma Mama S@Trauma_Mama_S

Wtf kind of crazy language is this!? Gettin' old I guess.

Trauma Mama S@Trauma_Mama_S

I feel like this would be on a quiz in a women's magazine, and if you didn't understand, it would mean you are officially old.

Sergey Vershinin@svershin

i don't fully get the reference but it still made me chuckle

Heidi@meer_daemon

This is a thing that burned a real community I was in (ingress, for the record). Records were cross referenced to find a mole from the other team

innanetmatt@mchandleraz

Dang, this sounds interesting. Can you share anything more?

Jitters/Mudkip@umudkip

Is this for paid slack instances only? There's likely a way to tell if a slack you're in is a paid instance.

yan@bcrypt

yeah only paid slack admins get ip logs

Jakub Keller@jakub_keller

Slack is full of security holes. I'm surprised it's taken off with businesses to the degree it has.

John C. Vernaleo@jcvernaleo

Definitely makes me want to speed up the move of all my slack chats to use the weechat slack plugin (already have irc and other comms on an openbsd box that is not at home).