Today, Valleywag uncovered a troubling data leak in the popular chat app Slack. First unearthed by developer Tanay Sai, Slack's sign-up process shows the popular rooms in a given company before a user is fully verified. That means that if you want to see what Google's working on, you can enter a dummy ____@google.com account, see what teams have set up unique accounts, and cancel the process before entering a password. In fact, Valleywag pulled off this exact trick, discovering a "Tribe Wearables" room that hints at a possible acquisition. Slack has scrambled to fix the bug, and as of 4pm today it is no longer workable on the desktop app. The company is also pushing a mobile fix, but it is expected to propagate more slowly.
Not all companies using Slack are affected
In an official statement, Slack blamed the "team discovery" feature, an optional setting designed to introduce new users to various teams within a company. Visible here, the option is checked automatically, and admins must uncheck the box to opt-out of the feature. Slack's statement emphasizes that the setting is optional, and any data leak can be avoided by disabling the function. "As companies have added more and more Slack teams, we've realized that this sign-in process, designed to make team communication faster and easier, has itself become cumbersome for many," the statement reads. "We have been working on updating our sign-in process to address this."
The bug appears to have been present for some time, and the company tweeted in August that the issue was "a tradeoff between usability and keeping the names secret." At the same time, the new publicity may be encouraging the company to change the way it approaches the function entirely. Slack founder Stewart Butterfield told The Next Web that the feature "won't be around much longer." We've reached out to Slack for comment, and will update with any official statement.
It's not strictly a security flaw, and there's no reason to believe private communications are compromised, but the feature still raises real questions about data security on Slack. Low-level data leaks are common in social apps like Facebook and Snapchat, but Slack is still a business service, serving major companies like Google, Microsoft, eBay, Sony and NBCUniversal. If Slack is really going to replace email, companies will need to trust it with sensitive information. As long as Slack faces data leaks like this one, they may have a hard time convincing more companies their data will be safe.
12:28pm ET: Updated with more detail on who is affected by the leak
1:03pm ET: Updated with more details on company response to the leak
1:43pm ET: Updated to include official Slack statement
2:26pm ET: Updated with further comment from Slack, including "team discovery" image
4:10pm ET: Updated with Slack statement that the bug has been fixed for the desktop app