Slack's Connect DM Feature Has A Security Flaw

Written by josephricard | Published 2021/05/08
Tech Story Tags: slack-app | slack | enterprise-technology | technology-news | slack-channels | security | privacy | data-privacy

TLDR New feature lets anyone with a paid Slack account to send message requests to any Slack user in the world (with or without a paid account) The objective of this feature was to turn Slack into one such platform over which anyone can connect with people they work with, regardless of the different companies they work for. The update that was launched to benefit users, ended up becoming an easy way of abusing, threatening, and harassing others. The new feature was actually in 2020 that Slack first implemented Slack Connect.via the TL;DR App
Not all that glitters is gold!
And that’s exactly what the new feature was, that Slack rolled out just two weeks back! Uh-huh, we are talking about the “Connect DM” feature. 
It was less a feature and more a blunder that made the company behind this ubiquitous work-chat platform Slack say, “Our bad” within just a few hours of its launching! Yes, the new feature turned out to be this bad.
But what was this new feature all about? What went so wrong with the new feature? Has it led to harassment of individuals? You're going to find all your answers here.

Connect DM-The Latest Slack Feature

We all know about Slack. For those who don’t, it’s a workplace messaging app. 
And since the last two weeks, it’s in the talk for all the wrong reasons! To be specific, it’s in the news for its new feature launch i.e. Connect Direct Messaging.
Announced back in October 2020, the objective of this feature was about letting Slack users message others outside their companies directly. This feature was designed mainly for companies working with clients and partners.
This cross-organizational direct messaging feature lets anyone send a message to others before they even accept the slack interaction invite. And that’s where the trouble in the Slack paradise began!

The Expectation

It was actually in 2020 that Slack first implemented Slack Connect. 
And the very objective of this implementation was to let companies create channels that can be shared between multiple Slack servers to expedite the business operations.
For example, suppose you work for the ABC company but you are planning to collaborate with the XYZ company. Now, with Slack’s Connect feature, employees of both companies can join one shared Slack channel to speed up their collaborative operations for their upcoming project.
However, Slack Connect DM has unfurled only two weeks ago that allowed anyone with a paid Slack account to send message requests to any Slack user in the world (with or without a paid account). The objective of introducing this new feature was to turn Slack into one such platform over which anyone can connect with people they work with, regardless of the different companies they work for.
The VP of Slack’s product, Ilan Frank told Protocol (tech news website),  “When someone opens up their phone, if they're connecting with their friends, they click on Facebook or WhatsApp”; similarly “If they're connecting with someone they work with, regardless of where that person works, they should be clicking on Slack.”

The Reality 

However, nothing went as per the company’s expectations! The update that was launched to benefit users, ended up becoming an easy way of abusing, threatening, and harassing others.
The VP of policy and communications at Slack, Jonathan Prince, said, “We made a mistake in this initial roll-out”.
It is not that Slack didn’t expect the possibility of some might use this new feature wrongly; Slack did consider the possibility. But what it missed is thinking more deeply and more thoroughly about the potential that this new feature might have as a medium to harass others.
Yes, Slack forgot to pay attention to the custom message part that users get to send to their target recipient. Though the company didn’t notice the loophole, the users spotted it almost immediately!
You see, to use Slack’s new Connect Direct Messaging feature, one cannot start interacting with others directly. First, one has to send a message request to the recipient Once the recipient accepts the request then only both start interacting. Seems perfect, right?
And here comes the loophole!
The user who sends the message request gets up to 560 characters to write a message in that invitation. And Slack sends the full body of the message to the email of the recipient. And these 560 characters are enough to attack people with abusive and threatening and harassing messages.
Even if the recipient doesn’t choose to interact with the sender of the interaction request, the recipients still receive the full message written in the message request in their emails. 
And even worse, the recipients of the harassing messages can’t even block the specific senders easily as Slack forwards the message from a generalized master box.

What’s Slack’s Take On Realizing The ‘blunder’

The widespread media attention and Twitter rage that this ‘blunder’ feature garnered made the company acknowledge their mistake soon after. Yes, Slack recognized their “Customizable Invitation Text” to be a terrible gaping flaw in their new feature and promised to amend it ASAP.
The company said, “After rolling out Slack Connect DMs this morning, we received valuable feedback from our users about how email invitations to use the feature could potentially be used to send abusive or harassing messages” and spam your email inbox with the same. 
The company further added, “We are taking immediate steps to prevent this kind of abuse, beginning today with the removal of the ability to customize a message when a user invites someone to Slack Connect DMs. Slack Connect’s security features and robust administrative controls are a core part of its value both for individual users and their organizations.
We made a mistake in this initial roll-out that is inconsistent with our goals for the product and the typical experience of Slack Connect usage. As always, we are grateful to everyone who spoke up, and we are committed to fixing this issue.”
The company has disabled the option of sending a message along with the invite for now. Even if someone knows your email ID, they can’t spam your email with harassing and abusive messages.
But yes, the company is also contemplating further steps to mitigate the risks of operating this platform without any well-thought-out-moderate protection measures in place.

Wrapping Up

So, you can see how such a renowned proprietary business communication platform ended up in trouble just because it didn’t think out its new feature plan.
For a company as huge as Slack, amending for this ‘blunder’ may not be an issue as to address the issue, it has already removed the ability for customizing a message when someone invites someone over Slack Connect DM.
But for others, such neglect can turn out to be a serious threat to the very existence of their online business or software. And that’s why we, Klizo solutions, are here.
We help you ensure maximum functionality of your business apps or software by detecting and eliminating the risks of any loopholes, vulnerabilities, or glitches. We provide our global clientele with world-class application testing, support, and management services.
Click here to connect with us and outsource your QA testing to us!
Written by josephricard | Founder & Director of Klizo Solutions. Creator of weedmachine.com Constantly building advanced tech solutions.
Published by HackerNoon on 2021/05/08
ABOUTHow hackers start their afternoons. We publish tech stories and build publishing software.

READEntirely free library read by hundreds of millions to learn anything about any technology.

WRITEHackerNoon elevates quality technology writing far and wide across the interwebs.

PARTNERHackerNoon works directly with tech companies to place ads by content relevancy