Slack's new cross-business messaging feature was briefly an avenue for harassment
Slack for Mac
Following its recent acquisition by Salesforce, Slack is launching a new system that is intended to expand the chat service's reach to more people. However, as currently planned, the new Slack Connect is at best going to get users even more of the LinkedIn-style requests to connect.
"Simply send an invite to any partner and start messaging in Slack as soon as the other side accepts," says the company in a blog post. "If you need a dedicated space for planning projects and looping in others, create channels between organizations, where members of invited organizations can freely come and go as needed."
The intention is that, for instance, you can pick someone and "send your first message welcoming them," as well as "describing what you'd like to accomplish." Slack sees this as a way to people across different companies to work together.
However, that "first message welcoming them" for a time was seen by the recipient alongside the button to accept the invitation. That means a sender can choose to say anything at all in that first message.
well that was easy as shit to abuse
- send invite with nasty language
- slack emails you w/ the full content of the invite
- can't block the emails because they come from a generic slack address that informs you of invites
- abuser can keep inviting w/ abusive language https://t.co/Mw9W5L251a pic.twitter.com/dWEAD7ccRO-- Menotti Minutillo (@44)
It also appears that this "first message" is not even the same as the only message. All a Slack user needs is the email address of another Slack user, and they can repeatedly issue such "invitations" repeating the same harassment.
Just as there is nothing to stop them sending one harassing message, it appears that there is no way for a Slack user to block those emails from one sender permanently. There also is not presently a way for a user to opt out of the system.
Following the complaints, Slack walked back the change.
"After rolling out Slack Connect DMs this morning, we received valuable feedback from our users about how email invitations to use the feature could potentially be used to send abusive or harassing messages," Slack's Vice President Jonathan Prince, said in a statement. "We are taking immediate steps to prevent this kind of abuse, beginning today with the removal of the ability to customize a message when a user invites someone to Slack Connect DMs.
"Slack Connect's security features and robust administrative controls are a core part of its value both for individual users and their organizations," Prince added. "We made a mistake in this initial roll-out that is inconsistent with our goals for the product and the typical experience of Slack Connect usage. As always, we are grateful to everyone who spoke up, and we are committed to fixing this issue."
Updated March 24, 3:08 PM Slack has rolled back the change. It isn't clear when it will make a return, or in what form.