Cross-Gateway Slack Message Leakage Between Separate Apps

[h-mascot]

Bug: Cross-Gateway Slack Message Leakage

Summary

Messages sent to one Slack bot's DM channel are appearing in a different gateway's session.

Environment

• Clawdbot version: 2026.1.11-4
• Two separate gateways on different GCP VMs
• Two separate Slack apps with different bot tokens and app tokens

Setup

• Gateway A (ada-gateway): Slack app "Super Ada" (A0A6ZEKRRH7)

  • Bot token: xoxb-...-1021819...
  • App token: xapp-1-A0A6ZEKRRH7-...
  • DM channel with user: D0A6Q6J3ZHS

• Gateway B (auntypelz-vm): Slack app "AuntyPelz" (A0A813NL7PG)

  • Bot token: xoxb-...-1026878...
  • App token: xapp-1-A0A813NL7PG-...
  • DM channel with same user: D0A7ZPY5X45

Bug Behavior

When user sends a message to Gateway B's DM (D0A7ZPY5X45), the message also appears in Gateway A's session with the metadata:

[slack message id: 1768285339.587399 channel: D0A7ZPY5X45]

Gateway A's bot token CANNOT access channel D0A7ZPY5X45 (verified via conversations.info returning channel_not_found).

Expected Behavior

Messages to D0A7ZPY5X45 should ONLY be received by Gateway B (AuntyPelz), not Gateway A (Super Ada).

Verified

• Different Slack apps ✓
• Different bot tokens ✓
• Different app tokens ✓
• No hooks configured from B to A ✓
• No shared session storage ✓
• Gateway A cannot access the DM channel via API ✓

Reproduction

1. Set up two gateways with different Slack apps in same workspace
2. DM each bot from same user account
3. Messages to Bot B's DM appear in Bot A's session

Possible Causes

• Slack socket mode event routing issue?
• Workspace-level event subscription affecting both apps?
• Session key collision?
• Something else in Clawdbot's message routing?

[roshanasingh4]

Thanks — this symptom strongly suggests the gateway is receiving Slack Socket Mode events using an app token that doesn’t match the bot token used for Web API calls. To confirm with certainty, could you share the following (no secrets needed; redact tokens but keep prefixes like xoxb-/xapp-):

1. On Gateway A (Super Ada), are Slack tokens coming from config (slack.accounts.default.*) or env vars? Specifically: are both SLACK_BOT_TOKEN and SLACK_APP_TOKEN set on that VM?

2. On Gateway A, what does Slack auth.test return for the bot token? Please share team_id, team, user_id, and api_app_id (no token).

3. For one of the ‘leaked’ events that Gateway A processed (the one showing channel D0A7ZPY5X45), can you share the top-level team_id and api_app_id from the raw Socket Mode envelope (redact message text/user ids if you want)?

4. Are both Slack apps installed in the same workspace (same team_id) or different workspaces?

If the incoming event’s team_id/api_app_id matches Gateway B but Gateway A’s bot token auth.test differs, that conclusively indicates a bot/app token mismatch (e.g. Gateway A running with Gateway B’s SLACK_APP_TOKEN).

[roshanasingh4]

I found a concrete footgun in the Slack Socket Mode integration: we never verify that the Socket Mode app token (xapp-…) matches the same Slack app as the bot token (xoxb-…). If those ever get crossed at runtime, a gateway can receive events for App B over the socket while using App A for Web API calls — matching the reported symptom.

PR: #889

Fix summary

• Capture bot token identity via auth.test (team_id + api_app_id).
• Drop inbound events when the Socket Mode envelope body.api_app_id or body.team_id does not match.
• Emit a clear error when bot token api_app_id disagrees with the app token's embedded app id.

This should prevent "cross-app" events from being processed even if Slack delivers them or tokens are mismatched.

[roshanasingh4]

Update: PR #889 has been rebased onto upstream main and now contains only the Slack Socket Mode api_app_id/team_id filtering fix (the earlier unrelated commit is gone).

[thewilloftheshadow]

Fixed by #889 (commit dadef27). Slack Socket Mode now filters events by api_app_id/team_id to prevent cross-gateway leakage.

[hxy91819]

Note from maintainer (@hxy91819): The original comment by @henrino3 has been removed due to secret leakage. Below is the redacted version of the original content.

---

1. Token Storage
Both gateways use file-based config at ~/.clawdbot/clawdbot.json (not env vars).

Gateway A (Super Ada):

• botToken: [REDACTED slack_api_token]
• appToken: [REDACTED slack_api_token]

Gateway B (AuntyPelz):

• botToken: [REDACTED slack_api_token]
• appToken: [REDACTED slack_api_token]

2. auth.test Results (Gateway A - Super Ada)

{
  "team_id": "T0LGMRJLU",
  "user_id": "U0A6E5L7L7M",
  "bot_id": "B0A6LGNKU3U"
}

3. auth.test Results (Gateway B - AuntyPelz)

{
  "team_id": "T0LGMRJLU",
  "user_id": "U0A7WP4H7EX",
  "bot_id": "B0A813T04NS"
}

4. Both apps in the SAME workspace: team_id: T0LGMRJLU (Curacel)

5. Raw event from leaked message (D0A7ZPY5X45):

{
  "ts": "1768354956.158119",
  "type": "message",
  "user": "U0LGU88M8",
  "team": "T0LGMRJLU",
  "team_id": null,
  "api_app_id": null
}

Both apps share the same team_id (T0LGMRJLU) — installed in the same Curacel Slack workspace. The message leakage likely stems from Socket Mode event routing within a shared workspace.

[hxy91819]

@henrino3 ⚠️ Security Notice: Secret Leakage Detected

GitHub Secret Scanning detected the following exposed secret types in your comment:

1. Slack API Token (Gateway A botToken)
2. Slack API Token (Gateway A appToken)
3. Slack API Token (Gateway B botToken)
4. Slack API Token (Gateway B appToken)

The original comment has been removed and replaced with a redacted version.

Please rotate these credentials immediately.

These secrets were publicly exposed and should be considered compromised. For Slack tokens, go to https://api.slack.com/apps to revoke and regenerate the affected tokens.