The General Service Administration’s inspector general wants the agency’s 18F unit to shut down its use of a popular workplace collaboration tool after it was found to expose personally identifiable and contractor proprietary information.
In a “management alert” issued Friday, the GSA IG says 18F’s use of Slack — particularly OAuth 2.0, the authentication protocol used to access other third-party services — potentially allowed unauthorized access to 100 Google Drives, a cloud-based file storage service, in use by GSA. Furthermore, the report says that exposure led to a data breach.
It’s unknown exactly who had access to or what data was stored on those Google Drives. The GSA IG office told FedScoop they could not confirm that any data was actually taken off those services.
In a statement, the IG office said they called the incident a data breach because of the administration’s extremely inclusive definition.
GSA’s Information Breach Notification Policy defines “data breach” as follows (emphasis ours):
Includes the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users with an authorized purpose have access or potential access to PII, whether physical or electronic. In the case of this policy the term “breach” and “incident” mean the same.
A supervisor at 18F discovered the vulnerability in March and informed a senior GSA information security officer, who eliminated the OAuth authentication permissions between the GSA Google Drives and 18F’s Slack account.
During the inspector general’s investigation last week, it was learned that the vulnerability had been in existence since October 2015.
Additionally, the IG asked that any use of Slack or OAuth 2.0 inside GSA be shut down. The services were not in compliance GSA’s Information Technology Standards Profile, which makes sure IT products and services meet GSA’s security, legal, and accessibility requirements.
OAuth 2.0 is used by many web-based products, including a variety of social media networks, allowing users to sign into other services without entering a password. Earlier this year, researchers at a university in Germany found the protocol can be susceptible to man-in-the-middle attacks.
Slack has been a darling of the startup world in recent months, allowing enterprises to internally collaborate and move away from internal emails. (Full disclosure: FedScoop is a user.) Slack CEO Stewart Butterfield has touted that GSA, along with NASA and the State Department, are users.
In FOIA requests FedScoop submitted to the agencies reportedly using Slack, only GSA would admit they are in fact using the service. 18F has publicized a lot of the work it has done with Slack, including a bot that onboards new employees.
After the release of the report, Rep. Jason Chaffetz, R-Utah, issued a statement calling the incident “alarming.”
“While we appreciate the efforts to recruit IT talent into the federal government, it appears these ‘experts’ need to learn a thing or two about protecting sensitive information,” the chairman of the House Committee on Oversight and Government Reform said. “The committee intends to further investigate this matter to ensure proper security protocol is followed.”
Read the IG’s management alert on their website.
UPDATE 2:50 p.m.:
18F has written a blog post about the incident, with the office saying it conducted a “full investigation and to our knowledge no sensitive information was shared inappropriately.”
The incident stems from 18F integrating Slack with Google Drive — something Slack users often do — which runs afoul of the way the government wants to store its information.
“Upon discovering that this integration had been accidentally enabled, we immediately removed the Google Drive integration from our Slack, and then we reviewed all Google Drive files shared between Slack and Drive, just to be sure nothing was shared that shouldn’t have been,” the blog post reads. “Our review indicated no personal health information (PHI), personally identifiable information (PII), trade secrets, or intellectual property was shared.”
UPDATE 3:11 p.m.:
Slack has issued a statement:
“The issue reported this morning by the GSA Office of the Inspector General does not represent a data breach of Slack, and customers should continue to feel confident about the privacy and security of the data they entrust to Slack.
Slack leverages the existing Google authentication framework when users integrate Google Drive with Slack. This integration allows users to more easily share documents with other team members in Slack. However, only team members who have access to the underlying document from the permissions that have been set within Google can access these documents from links shared in Slack. Sharing a document into Slack or integrating Google Drive with Slack does not alter any existing Google document or Google Drive access permissions. Those permissions are set and managed within Google. Slack is unable to modify, grant or extend any permissions that exist in Google Drive.”
Contact the reporter on this story via email at firstname.lastname@example.org, or follow him on Twitter at @gregotto. His OTR and PGP info can be found here. Subscribe to the Daily Scoop for stories like this in your inbox every morning by signing up here: fdscp.com/sign-me-on.