Today, workplace chat company Slack launched a new feature with a goatse-sized privacy loophole: You can add people from outside your company’s Slack. From there, you can DM them or add them to group DMs or channels inside an existing Slack.
As you might have guessed, this did not go smoothly. A few hours after launching, Slack had already canceled a feature that allowed people to tack on a message to their invite emails due to the possibility of harassment.
“Slack Connect’s security features and robust administrative controls are a core part of its value both for individual users and their organizations,” Jonathan Prince, a Slack spokesperson, told BuzzFeed News. “We made a mistake in this initial roll-out that is inconsistent with our goals for the product and the typical experience of Slack Connect usage.”
Here’s how it’s meant to work, in a nice, pleasant world: You’re a salesperson with Acme Corp, and you want to talk with your client, NiceStore, about their recent order. Both companies use Slack to discuss things internally. So, instead of reaching your client only over email and phone calls (wow, so 20th century), you can now connect over DMs to talk about the latest shipment of Acme widgets.
Adding someone to your work Slack isn’t giving them access to the whole thing, letting them poke around different channels as if they were an employee. Instead, it allows you to do very limited communications — DMs, mainly. You need admin-level access to add them to any channels (BuzzFeed’s admins, who are cowards, refused my requests to add a bunch of former coworkers back into our Slack channel).
There are some unpleasant quirks. For example, a friend sent an invite to my buzzfeed.com email to join his workplace Slack. But when I clicked that invite link in my email, it opened a Chrome tab to Slack, which was logged in already — with my personal email, connected to personal-use Slacks. I hastily accepted it, inadvertently adding my personal Slack to his professional workplace.
In a nice, normal world, that would be the worst part of it. Well, sadly, this isn’t a nice, normal world. And Slack isn’t just used by companies with responsible employees and robust admins. The free version of Slack is used for all sorts of things — friends chatting, neighborhood mutual aid groups, cabals of assholes and scoundrels, etc…. Every form of dipshit, troll, and harasser exists on a free Slack somewhere. It’s the internet!
Very quickly, Menotti Minutillo, a Twitter employee, noticed that at least one aspect of the change was ripe for abuse. When you invite someone, it sends them an email from a slack.com address, but you can write in whatever message you want — a way for someone whom you have blocked on other forms of email or communication to contact you.
“It feels off to me that Slack released this feature without pressure testing it for abuse and harassment concerns,” Rachel Tobac, CEO of security firm SocialProof Security, told BuzzFeed News. “As users, it’s not our job to dig into a feature and raise the alarm about a feature that can be used for harassment — it’s great they changed the feature ASAP to close that oversight quickly today, but it’s essential that all orgs consider and test for harassment and abuse before launching.”
Tobac also pointed out that allowing in extra people to a group Slack heightens the need for a common feature that Slack has never had: a block button.