The ubiquitous chat platform Slack this morning launched a new feature, Connect DM, which allows users to send instant messages to people they Do not do it work with. Hours later, the company already says “our bad”
Slack first rolled out Slack Connect last year, which allowed companies to create channels shared between multiple Slack servers to facilitate business operations. Basically, if you work for Widget Film Production Inc. and you are collaborating on a project with Venue Studio Corp., Widget employees and Venue employees can both join a shared Slack channel to discuss site searches for their upcoming project.
Today, however, Slack added a feature that allows anyone in the world with a paid account to send an instant messaging request to other Slack users in the world (even if they do) not have a paid account). Ilan Frank, Slack’s VP for product, told technical news site Protocol that Slack is consciously positioning itself to become the optional chat platform for business. “When someone opens their phone, if they connect with their friends, they click on Facebook or WhatsApp,” Frank said. “If they have contact with someone they work with, no matter where they work, they should click on Slack.”
Slack seems to have considered the possibility that some bad actors could use the platform for harassment – but it does not seem to have thought about the potential very hard or very long. Connect DMs are actually opt-in, in that you have to accept a request from someone before you can interact with them. However, there is a big loophole: the user making the “invitation” can send a message of up to 560 characters to the targeted recipient, and Slack emails the recipient the entire message.
I used the Ars Technica Slack server to send a dummy invitation to my personal email address to demonstrate:
As others have noted, recipients who receive violent, harassing or threatening messages can also not easily block a particular sender, because Slack sends the alerts from a general main inbox.
After the widespread attention on Twitter and the media, Slack this afternoon acknowledged the gaping error in the process – the customizable invitation text – and promised to change it.
“After launching Slack Connect DMs this morning, we received valuable feedback from our users on how email invitations to use the feature could potentially be used to send violent or harassing messages,” the company said in a statement. “We are taking immediate steps to prevent this type of abuse, and today we begin by removing the ability to customize a message when a user invites someone to Slack Connect DMs. Slack Connect security features and robust administrative controls are a key part of the value. both for individual users and their organizations.We made a mistake in this initial rollout that is not in line with our goals for the product and the typical experience of Slack Connect usage.As always, we are grateful to everyone who talked about, and we is committed to solving this problem. “