The ubiquitous work chat platform Slack this morning launched a new feature, Connect DM, which allows users to send direct messages to the people they no work with. Hours later, the company is already saying “our evil” and promising an update after users demonstrated almost immediately how easy it is to use Connect DM to abuse or harass others.
Slack launched Slack Connect last year, which allowed companies to create channels shared between multiple Slack servers to facilitate business operations. Basically, if you work for Widget Film Production Inc. and are collaborating on a project with Venue Studio Corp., employees at Widget and Venue can join a shared Slack channel to discuss the location of their next project.
Today, however, Slack has added a feature that allows anyone in the world with a paid account to send a direct message request to any other Slack user in the world (even if they do no have a paid account). Ilan Frank, vice president of product at Slack, told the technology news site Protocol that Slack is deliberately positioning itself to become The favorite chat platform in the business world. “When someone opens the phone, if they are connecting with their friends, click on Facebook or WhatsApp,” said Frank. “If they are connecting with someone they work with, regardless of where that person works, they should click on Slack.”
Slack seems to have considered the possibility that some malicious actors could use his platform for harassment – but he doesn’t seem to have thought much of that potential or for a long time. Connect DMs are in fact opt-in, in the sense that you have to accept a request from someone before you can interact with them. However, there is a big gap there: the user who makes the “invitation” can send a message of up to 560 characters to the recipient, and Slack sends an email to the recipient with the full body of the message.
I used the Ars Technica Slack server to send a dummy invitation to my personal email address to demonstrate:
-
The test message I sent to my personal email address was significantly less rude than many of the Twitter DMs I receive.
-
And behold, I received all my rude message to myself in my personal inbox.
How others noticed, recipients who receive abusive, harassing or threatening messages are also unable to easily block a specific sender because Slack sends notifications from a generalized master inbox.
Following the wide attention of Twitter and the media, Slack this afternoon acknowledged the flaw in his process – the customizable invitation text – and promised to fix it.
“After launching the Slack Connect DMs this morning, we received valuable feedback from our users on how email invitations to use the feature could be used to send abusive or harassing messages,” the company said in a statement. . “We are taking immediate steps to prevent this type of abuse, starting today with removing the ability to personalize a message when a user invites someone to Slack Connect DMs. Slack Connect’s security features and robust administrative controls are an essential part of its value to individual users and their organizations. We made a mistake in this initial release that is inconsistent with our product goals and the typical experience of using Slack Connect. As always, we are grateful to everyone who spoke and we are committed to correcting this problem. “