Slack became a public messaging platform this morning with the wider rollout of a new cross-organizational direct messaging feature, and now it’s already taking steps to mitigate the dangers of operating such a platform. form without well thought-out moderation protections.
The company says that in response to concerns the feature could be used to send abusive or harassing messages with relative ease, it now disables the option to message with an invite. This way, if someone knows your email address, they can’t spam your inbox with potentially abusive messages.
“After rolling out the Slack Connect DMs this morning, we received valuable feedback from our users on how email invitations to use the feature could be used to send abusive or harassing messages. We are taking immediate action to prevent this type of abuse, starting today with the removal of the ability to personalize a message when a user invites someone to Slack Connect DMs, ”said Jonathan Prince, vice -President of corporate communications and policies. The edge.
“Slack Connect’s robust security features and administrative controls are at the heart of its value to both individual users and their organizations. We made a mistake during this initial deployment that is inconsistent with our goals for the product and the typical experience of using Slack Connect. As always, we are grateful to all who have spoken and are committed to resolving this issue. ”
The general concern, first raised by Twitter employee Menotti Minutillo, was that the feature didn’t have strong opt-out protections for individual users, and no way to easily prevent people from spamming you with email invitations. It seems benign at first glance; if someone wants to harass you and they have your email address, surely they can just send you a harassing email. But Slack Connect bypasses any inbox filters or protections you can use by emailing yourself from their address. [email protected] with the DM invitation, the email containing the message the sender has decided to join.
Well it was easy as shit to abuse
– send an invitation with nasty language
– loose emails to you with the full content of the invitation
– cannot block emails because they come from a generic secondary address that notifies you of invitations
– the attacker can continue to invite with abusive language https://t.co/Mw9W5L251a pic.twitter.com/dWEAD7ccRO
– Menotti Minutillo (@ 44) 24 mars 2021
This means that if your organization is using this feature, you can’t filter it out without worrying about missing important Slack emails, and you also don’t have an easy way to unsubscribe. (It’s not even clear at this time if the feature can be turned off for individual accounts.) TechCrunch reported this morning that the DM feature would be opt-in for a business or organization’s IT department to be activated at its discretion, but that doesn’t mean it would give every employee active control over who might DM. And there was also no filtering or monitoring in place to detect if someone was sending a hate message.
New concerns also arise, such as being able to see all Slack groups that individuals belong to – whether paid or free – if that person accepts an invite from someone using Slack Connect. And while Slack Connect is typically designed for corporate users whose businesses pay for premium features, a Slack Standard plan with Connect enabled costs just $ 8 per month per user (or $ 6.67 per month per user. when billed annually). This suggests that someone could exploit these issues quite easily and inexpensively if they wanted to, even without the invitation message feature that Slack just turned off.
Ok, so not only is this a vector for harassment, but if you provide someone’s email address, it shows you the name of every slack it’s on. This is a critical and catastrophic information leak: https://t.co/XwLCt8Rl34
– Eleanor Saitta (@Dymaxion) 24 mars 2021