Slack became a public messaging platform this morning with the broader rollout of a new cross-organizational instant messaging feature, and now it is already taking steps to reduce the dangers of operating such a platform without well-thought-out moderation protection.
The company says that in response to concerns the feature can be used to send violent messages or harassment with relative ease, it now disables the ability to send a message along with an invitation. That way, if someone knows your email address, they can not spam your inbox with potentially violent messages.
After launching Slack Connect DMs this morning, we received valuable feedback from our users on how email invitations to use the feature could potentially be used to send violent or harassing messages. We are taking immediate steps to prevent this type of abuse, and today we begin by removing the possibility of customizing a message when a user invites someone to Slack Connect DMs, says Jonathan Prince, the company̵
“Slack Connect’s security features and robust administrative controls are an important part of the value for both individual users and their organizations. We made a mistake in this initial rollout that is not in line with our product goals and the typical Slack Connect usage experience. As always, we are grateful to everyone who spoke, and we are committed to solving this problem. ”
The general concern, first raised by Twitter employee Menotti Minutillo, was that the feature did not have robust opt-out protection for individual users, and no way to easily prevent people from spamming you with email invitations. It appears benign on the surface; If someone wants to harass you and they have your email address, they can probably send you a harassing email. But Slack Connect bypasses the filter or inbox protection you can use, by sending you an email from the firstname.lastname@example.org address with the DM invitation, with the email containing the message the sender decided to attach.
well it was easy as shit to abuse
– send invitation with nasty language
– drop emails with the entire contents of the invitation
– cannot block emails because they come from a general slack address that informs you of invitations
– abuser can continue to invite with violent language https://t.co/Mw9W5L251a pic.twitter.com/dWEAD7ccRO
– Menotti Minutillo (@ 44) March 24, 2021
This means that if your organization uses this feature, you can not filter it out for fear of missing important Slack emails, and you also have no easy way to opt out. (It’s not even clear right now if the feature can be turned off for individual accounts.) TechCrunch reported this morning that the DM function would be opt-in for a company or the organization’s IT department to activate at its own discretion, but that does not mean that it would give the individual employee active control over who could DM them. And there was no filtering or monitoring in place that would detect if someone sent a hate message.
New concerns also arise, such as being able to see what Slack groups individuals are a part of – either paid or free – if that person accidentally accepts an invitation from someone using Slack Connect. And while Slack Connect is generally designed for enterprise users whose companies pay for premium features, a Slack Standard plan with Connect enabled costs as little as $ 8 per month per user (or $ 6.67 per month per user when billed annually). It suggests that some people can exploit these issues quite easily and cheaply if they choose to do so, even in the absence of the Slack invitation feature only disabled.
Ok, so not only is this a harassment vector, but if you enter someone’s email address, it will show you the name of each slack they are on. This is a critical and catastrophic information leak: https://t.co/XwLCt8Rl34
– Eleanor Saitta (@Dymaxion) March 24, 2021