Popular messaging platform Slack, owned by Salesforce, has had to quickly retreat on a new feature called Connect after users angrily pointed out that it could be used to send abusive and harassing messages to people at external organisations.
Slack Connect was released today for paying customers, and is designed to replace email messages.
Once paid Slack customers enable Connect, any of their users can send direct messages to anyone, inside and outside their organisations, without administrative approval beforehand.
Users quickly discovered that the customisable Slack Connect invitations could be turned into unblockable missives of abuse and rudeness, and reacted angrily to the intrusive feature.
well that was easy as shit to abuse
— Menotti Minutillo (@44) March 24, 2021
- send invite with nasty language
- slack emails you w/ the full content of the invite
- can't block the emails because they come from a generic slack address that informs you of invites
- abuser can keep inviting w/ abusive language https://t.co/Mw9W5L251a pic.twitter.com/dWEAD7ccRO
Other users expressed concern that Slack Connect could be used to send unwanted and potentially dangerous files in DMs.
Futhermore, it appears to be possible to enumerate and map Slack users on the free version of the messaging program, should they accept a Connect invitation.
It is not possible to disable the receiving of Connect invitations on the free version of Slack.
If someone in a free Slack *ever* accepts a cross-Slack DM invite, even if that connection is later revoked, anyone in that other Slack can forever find all the members of that free Slack and see their profiles. There is no way for someone running a free Slack to turn this off.
— Tom Lowenthal (@flamsmark) March 24, 2021
Facing user furore, Slack confirmed that it will rework the Slack Connect feature, its vice-president of communications and policy Jonathan Prince said.
"After rolling out Slack Connect DMs this morning, we received valuable feedback from our users about how email invitations to use the feature could potentially be used to send abusive or harassing messages," Prince said.
"We are taking immediate steps to prevent this kind of abuse, beginning today with the removal of the ability to customise a message when a user invites someone to Slack Connect DMs.
"Slack Connect’s security features and robust administrative controls are a core part of its value both for individual users and their organisations.
"We made a mistake in this initial rollout that is inconsistent with our goals for the product and the typical experience of Slack Connect usage.
"As always, we are grateful to everyone who spoke up, and we are committed to fixing this issue."
