Ubiquitous work-chat platform Slack this morning rolled out a new feature, Connect DM, that allows users to send direct messages to people they don’t work with. Hours later, the company is already saying “our bad” and promising an update after users demonstrated almost immediately how easy it is to use Connect DM to abuse or harass others.
Slack first rolled out Slack Connect last year, which allowed for companies to create channels shared between multiple Slack servers to facilitate business operations. Basically, if you work for Widget Film Production Inc. and you are collaborating on a project with Venue Studio Corp., Widget employees and Venue employees can both join a shared Slack channel to discuss location scouting for their upcoming project.
Today, however, Slack added a feature that allows anyone in the world with a paid account to send a direct message request to any other Slack user in the world (even if they do not have a paid account). Ilan Frank, Slack’s VP of product, told tech news site Protocol that Slack is deliberately positioning itself to become the chat platform of choice for the business world. “When someone opens up their phone, if they’re connecting with their friends, they click on Facebook or WhatsApp,” Frank said. “If they’re connecting with someone they work with, regardless of where that person works, they should be clicking on Slack.”
Slack appears to have considered the possibility that some bad actors might use its platform for harassment—but it doesn’t appear to have thought about that potential very hard or for very long. Connect DMs are indeed opt-in, in that you have to accept a request from someone before you can interact with them. There’s a giant loophole there, however: the user making the “invitation” gets to send a message of up to 560 characters to their targeted recipient, and Slack emails the recipient the full body of that message.
I used the Ars Technica Slack server to send a dummy invitation to my personal email address to demonstrate:
As others have noted, recipients who receive abusive, harassing, or threatening messages also cannot easily block a specific sender, because Slack sends the notifications from a generalized master inbox.
Following the widespread Twitter and media attention, Slack this afternoon acknowledged the gaping flaw in its process—the customizable invitation text—and promised to amend it.
“After rolling out Slack Connect DMs this morning, we received valuable feedback from our users about how email invitations to use the feature could potentially be used to send abusive or harassing messages,” the company said in a statement. “We are taking immediate steps to prevent this kind of abuse, beginning today with the removal of the ability to customize a message when a user invites someone to Slack Connect DMs. Slack Connect’s security features and robust administrative controls are a core part of its value both for individual users and their organizations. We made a mistake in this initial roll-out that is inconsistent with our goals for the product and the typical experience of Slack Connect usage. As always, we are grateful to everyone who spoke up, and we are committed to fixing this issue.”