Slack became a public messaging platform this morning with the broader launch of a new direct messaging feature between organizations and is now taking steps to mitigate the dangers of operating such a platform without well-planned moderation protections.
The company says that in response to concerns that the feature could be used to send abusive messages or harassment relatively easily, it is now disabling the option to send a message along with an invitation. That way, if someone knows your email address, they won’t be able to send spam to your inbox with potentially abusive messages.
“After launching the Slack Connect DMs this morning, we received valuable feedback from our users on how email invitations to use the feature could be used to send abusive or harassing messages. We are taking immediate steps to prevent this type of abuse, starting today with the removal of the ability to personalize a message when a user invites someone to Slack Connect DMs, ”said Jonathan Prince, vice president of communications and policies for the company. The Verge.
“Slack Connect’s robust security features and administrative controls are an essential part of its value for individual users and their organizations. We made a mistake in this initial release that is inconsistent with our goals for the product and the typical experience of using Slack Connect. As always, we are grateful to everyone who spoke and are committed to fixing this problem. ”
The general concern, first raised by Twitter official Menotti Minutillo, was that the feature had no robust cancellation protections for individual users and no way to easily prevent people from emailing you invitations. This looks benign on the surface; if someone wants to harass you and has your email address, you can certainly just send a harassing email. But Slack Connect ignores any inbox filters or protections you can use by sending an email from [email protected] with the DM invitation, with the email containing any message the sender has decided to attach.
well, that was so fucking easy to abuse
– send invitation with unpleasant language
– slack emails to you with all the content of the invitation
– you cannot block emails because they come from a generic idle address that informs you of invitations
– the attacker can continue inviting with abusive language https://t.co/Mw9W5L251a pic.twitter.com/dWEAD7ccRO– Menotti Minutillo (@ 44) March 24, 2021
This means that if your organization uses this feature, you will not be able to filter it without fear of losing important emails from Slack and you will also not have an easy way to unsubscribe. (It is not yet clear whether the feature can be disabled for individual accounts.) TechCrunch reported this morning that the DM feature would be opt-in for the IT department of a company or organization to enable at its discretion, but that does not mean it would give the individual employee active control over who could DM them. There was also no filtering or monitoring to detect whether someone was sending a hate message.
There are new concerns arising as well, such as being able to see the Slack groups that individuals are part of – whether paid or free – if that person accepts an invitation from someone using Slack Connect. And while Slack Connect is generally designed for business users whose companies pay for premium features, a Slack Standard plan with Connect enabled costs only $ 8 per month per user (or $ 6.67 per month per user when charged annually). This suggests that someone can exploit these issues quite easily and cheaply if they want, even in the absence of the invitation message feature that Slack has just disabled.
Okay, this is not just a harassment vector, but if you enter someone’s email address, it will show the name of each time off. This is a critical and catastrophic information leak: https://t.co/XwLCt8Rl34
– Eleanor Saitta (@Dymaxion) March 24, 2021