Slack became a public messaging platform this morning with the wider rollout of a new cross-organizational direct messaging feature, and now it’s already taking steps to mitigate the dangers of operating such a platform without well-thought-out moderation protections.
The company says in response to concerns the feature could be used to send abusive messages or harassment with relative ease, it’s now disabling the option to send a message alongside an invite. That way, if someone knows your email address, they can’t spam your inbox with potentially abusive messages.
“After rolling out Slack Connect DMs this morning, we received valuable feedback from our users about how email invitations to use the feature could potentially be used to send abusive or harassing messages. We are taking immediate steps to prevent this kind of abuse, beginning today with the removal of the ability to customize a message when a user invites someone to Slack Connect DMs,” Jonathan Prince, the company’s vice president of communications and policy, tells The Verge.
“Slack Connect’s security features and robust administrative controls are a core part of its value both for individual users and their organizations. We made a mistake in this initial roll-out that is inconsistent with our goals for the product and the typical experience of Slack Connect usage. As always, we are grateful to everyone who spoke up, and we are committed to fixing this issue.”
The overall concern, first raised by Twitter employee Menotti Minutillo, was that the feature did not have robust opt-out protections for individual users and no way to easily prevent people from spamming you with email invites. That seems benign on the surface; if someone wants to harass you and they have your email address, surely they can just send you a harassing email. But Slack Connect bypasses any filters or inbox protections you may use by sending you an email from its firstname.lastname@example.org address with the DM invite, with the email containing whatever message the sender decided to attach.
well that was easy as shit to abuse— Menotti Minutillo (@44) March 24, 2021
- send invite with nasty language
- slack emails you w/ the full content of the invite
- can't block the emails because they come from a generic slack address that informs you of invites
- abuser can keep inviting w/ abusive language https://t.co/Mw9W5L251a pic.twitter.com/dWEAD7ccRO
That means if your organization uses this feature, you can’t filter it out without fear of missing important Slack emails and you also have no easy way to opt out. (It’s not even clear right now whether the feature can be turned off for individual accounts.) TechCrunch reported this morning that the DM feature would be opt-in for a company’s or organization’s IT department to enable at its discretion, but that doesn’t mean it would give individual employees active control over who could DM them. And there was also no filtering or monitoring in place that would detect whether someone was sending a hateful message.
While Slack Connect is generally designed for enterprise users whose companies pay for premium features, a Slack Standard plan with Connect enabled costs as little as $8 per month per user (or $6.67 per month per user when billed annually). That suggests someone could exploit these issues rather easily and on the cheap if they choose to, even in the absence of the invite message feature Slack just disabled.
There have been new concerns popping up, too, such as being able to view whatever Slack groups individuals are a part of — either paid or free ones — if that person happens to accept an invite from someone using Slack Connect. A Slack spokesperson has confirmed to The Verge these fears are unfounded, as that information is only displayed to the person accepting the invite as a method of determining what Slack workspace they’d like to accept the invitation from.
This has been retracted — turns out it was a mistake by the original tweeter. However, the information leak around profile listings has been confirmed: https://t.co/ky3qJYCcv8. https://t.co/ePoDQuU4En— Eleanor Saitta (@Dymaxion) March 24, 2021
Update March 24th, 4:12PM ET: Added clarification from Slack specifying that the profile information leak concerns regarding DM invites are unfounded, as the information is not made publicly available to the sender.