Slack’s new DM feature can be used to send abuse and harassment with just an invite

Slack’s newest direct message feature, part of a broader cross-organizational tool called Slack Connect, lets anyone with a professional Slack account DM another user so long as they have their email address. These messages, which are attached to invites, can be potentially abusive or harmful, points out Menotti Minutillo, a Twitter product employee who works on the company’s developer platform trust team.

There’s no way to block these invites, either. You could also trick someone into accepting your invite and then send them harassment or abusive messages.

The option appears available only to those with enterprise Slack accounts. The free version of Slack does not currently support the Connect platform, which launched last year. Slack previewed the option to DM anyone last October, and today it started rolling out the feature to all paid accounts.

But as Minutillo makes clear, there does not appear to be any safeguards against bad behavior built into the feature. You can’t opt out of the Connect DM feature unless your entire organization disables it, and you can’t block an email address from repeat messages or invites. Even if a workplace disables the ability to accept these invites, Minutillo says the optional invite text still shows up in the email in the tests he performed. TechCrunch reports that the whole feature is opt-in from an IT admin level, but that doesn’t suggest you can turn it off for your individual account if your organization keeps it active.

One possibility is to filter your email to block specific subject lines, Minutillo says. But if the person trying to contact you switches email accounts, that won’t work either. Connect DMs require a verified email address that can, in theory, be traced back to an employer in some circumstances. Connect is available to anyone with a Standard tier account, which costs $8 per person per month. However, Slack also offers a free trial for its Standard and Plus tiers that might make signing up for such an account easier and cost-free.

Slack did not immediately respond to a request for comment.

I tested this with my personal email account, and it’s easy to do:

Screenshot by Nick Statt / The Verge

Slack, because it operates a free version that can be styled into semi-public chat rooms, has always had to deal with abuse. As pointed out by some users responding in Minutillo’s thread, public Slack channels can still be abused by way of account invites, spam, and other techniques to send unwanted or hateful messages.

For instance, even if a public-facing Slack channel disables the ability for new users to post, they can still style usernames as short, abusive messages that show up in public channels.

Slack also doesn’t have the tools to monitor this harassment if it happens in private channels. The company outlined its data retention and privacy practices in an interview with Protocol published today that specify that each person’s parent organization will have the ability to store and read messages, as well as delete them.

Protocol reports that Slack is verifying organizations that receive Connect access to ensure you know you’re talking to a legitimate member of another company, but that doesn’t stop someone from trying to masquerade as a legitimate corporate employee to try to initiate private DM conversations.

Slack’s new form of DM is a pretty basic yet powerful two-way communication channel now open to the millions upon millions of its enterprise users, with no obvious opt-out.