Are Slack Slash commands/Outgoing Webhooks safe?

Question

Has anybody checked out Outgoing Webhooks and Slash commands in Slack?

In the case of both Slash commands and Outgoing Webhooks, the command string along with the user_id and token is sent in the POST body to the external URL(corresponding to the command). The problem is that the token remains the same for all the team members(The token is visible on the Integrations page, and is therefore public to the team. The endpoint URL is also public). Which means this is a mechanism to authenticate the request against the team but there is no mechanism to authenticate the request against the user.

I can reproduce the request from a different server with the same header, token and request body, but with my team member's user_id, making it appear that somebody else executed the command. There is also no way to verify if the request came from the Slack servers.

My question is - Am I missing something here? Are Slash commands even meant for CRUD operations(on an external service) or are they just to fetch data from simple services like weather, stack overflow or public APIs? If not, how do you solve this problem?

Update - Spoke to @SlackAPI and they say we need to verify the user_id separately.

Answer 1

This is only the case in the default permission setting for your Slack team. But as soon as you restrict access for team members to integrations the configuration of an integration - including the token - is no longer public. The calling URL remains public though, but without the token a malicious user will not be able to recreate the request.

I would recommend that most Slack teams restrict access to integrations for security purposes. You can still allow access on request, which allows you as admin to review and approve each request.

The permission setting can be found under:

Manage / Permissions / Approved Apps = on