Slack Connect DM new feature drew a barrage of criticism

This week Slack Messenger developers announced a new Connect DM feature that allows sending messages directly to any Slack user in any organization. The developers positioned it as a new and convenient way to communicate with business partners.

However, users and cybersecurity experts did not like the new functionality included by default. The fact is that even if the user has Connect DM disabled, he will still receive email notifications and messages from everyone who tried to contact him, including random people who may abuse this feature to just send someone a portion of insults.

Even worse, outsiders were suddenly able to speak directly to employees of any company and invite them to private chats, where they could be subjected to phishing attacks and suffer from social engineering.

The community’s reaction was immediate. For example, on Twitter, several security experts wrote that this function can be abused not only for phishing or spreading malware, it can also be used to send spam and harass specific people. The problem is that users did not have any mechanisms to block such messages and even the ability to report abuse to the administrator.

If someone in a free Slack *ever* accepts a cross-Slack DM invite, even if that connection is later revoked, anyone in that other Slack can forever find all the members of that free Slack and see their profiles. There is no way for someone running a free Slack to turn this off. activist Tom Lowenthal tweeted.

Because of this, companies began to massively disable Connect DM, and information security specialists advised using this function only in conjunction with strict access control lists that allow you to control which employees can participate in interorganizational chats.

The Vice Motherboard contacted the Slack representatives and asked what they intend to do with the problems that have arisen.

The company admitted that they made a mistake:

Following the deployment of Slack Connect DM, we received valuable feedback from our users that email invitations to use this feature could potentially be used to send offensive or annoying messages. We’re already taking immediate steps to prevent this kind of abuse: as of today, we’ve removed the option to customize invite messages where a user invites someone to join Slack Connect DM. In the initial rollout of [new feature], we made a mistake that is incompatible with our product goals and our normal Slack Connect experience.Slack's vice president of communications and policy Jonathan Prince said.

At the same time, a Slack spokesman refused to say whether the company plans to finalize Slack Connect DM as a whole and, for example, add a much-needed blocking feature. The company said that the Trust&Safety team has been operating in Slack since 2016, but Slack disclaims responsibility for moderating its platform, shifting it to the companies that use it.

Let me remind you that Researcher discovered vulnerability in Telegram, which allows to locate user.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *