Slack’s new DM feature can be used to send abuse and harassment with just an invite
[ad_1]
Slack’s newest direct message feature, part of a broader cross-organizational tool called Slack Connect, lets anyone with a professional Slack account DM another user so long as they have their email address. These messages, which are attached to invites, can be potentially abusive or harmful, points out Menotti Minutillo, a Twitter product employee who works on the company’s developer platform trust team.
There’s no way to block these invites, either. You could also trick someone into accepting your invite and then send them harassment or abusive messages.
well that was easy as shit to abuse
– send invite with nasty language
– slack emails you w/ the full content of the invite
– can’t block the emails because they come from a generic slack address that informs you of invites
– abuser can keep inviting w/ abusive language https://t.co/Mw9W5L251a pic.twitter.com/dWEAD7ccRO— Menotti Minutillo (@44) March 24, 2021
The option appears available only to those with enterprise Slack accounts. The free version of Slack does not currently support the Connect platform, which launched last year. Slack previewed the option to DM anyone last October, and today it started rolling out the feature to all paid accounts.
But as Minutillo makes clear, there does not appear to be any safeguards against bad behavior built into the feature. You can’t opt out of the Connect DM feature unless your entire organization disables it, and you can’t block an email address from repeat messages or invites. Even if a workplace disables the ability to accept these invites, Minutillo says the optional invite text still shows up in the email in the tests he performed. TechCrunch reports that the whole feature is opt-in from an IT admin level, but that doesn’t suggest you can turn it off for your individual account if your organization keeps it active.
One possibility is to filter your email to block specific subject lines, Minutillo says. But if the person trying to contact you switches email accounts, that won’t work either. Connect DMs require a verified email address that can, in theory, be traced back to an employer in some circumstances. Connect is available to anyone with a Standard tier account, which costs $8 per person per month. However, Slack also offers a free trial for its Standard and Plus tiers that might make signing up for such an account easier and cost-free.
Slack did not immediately respond to a request for comment.
I tested this with my personal email account, and it’s easy to do:
Slack, because it operates a free version that can be styled into semi-public chat rooms, has always had to deal with abuse. As pointed out by some users responding in Minutillo’s thread, public Slack channels can still be abused by way of account invites, spam, and other techniques to send unwanted or hateful messages.
For instance, even if a public-facing Slack channel disables the ability for new users to post, they can still style usernames as short, abusive messages that show up in public channels.
even when i deleted my slack account, that didn’t stop people from spamming hundreds of slack invites with nasty things in it. pic.twitter.com/WQo5mSUIfR
— melody ✨ (@pixelyunicorn) March 24, 2021
Slack also doesn’t have the tools to monitor this harassment if it happens in private channels. The company outlined its data retention and privacy practices in an interview with Protocol published today that specify that each person’s parent organization will have the ability to store and read messages, as well as delete them.
Protocol reports that Slack is verifying organizations that receive Connect access to ensure you know you’re talking to a legitimate member of another company, but that doesn’t stop someone from trying to masquerade as a legitimate corporate employee to try to initiate private DM conversations.
Slack’s new form of DM is a pretty basic yet powerful two-way communication channel now open to the millions upon millions of its enterprise users, with no obvious opt-out.
[ad_2]
Source link