Slack's new cross-business messaging feature was briefly an avenue for harassment

Posted:
in General Discussion edited March 24
After Slack launched the ability for users to message any other Slack user from any company, it immediately was met with the wrath of its customers, and quickly disabled the feature.

Slack for Mac
Slack for Mac


Following its recent acquisition by Salesforce, Slack is launching a new system that is intended to expand the chat service's reach to more people. However, as currently planned, the new Slack Connect is at best going to get users even more of the LinkedIn-style requests to connect.

"Simply send an invite to any partner and start messaging in Slack as soon as the other side accepts," says the company in a blog post. "If you need a dedicated space for planning projects and looping in others, create channels between organizations, where members of invited organizations can freely come and go as needed."

The intention is that, for instance, you can pick someone and "send your first message welcoming them," as well as "describing what you'd like to accomplish." Slack sees this as a way to people across different companies to work together.

However, that "first message welcoming them" for a time was seen by the recipient alongside the button to accept the invitation. That means a sender can choose to say anything at all in that first message.

well that was easy as shit to abuse

- send invite with nasty language
- slack emails you w/ the full content of the invite
- can't block the emails because they come from a generic slack address that informs you of invites
- abuser can keep inviting w/ abusive language https://t.co/Mw9W5L251a pic.twitter.com/dWEAD7ccRO

-- Menotti Minutillo (@44)


It also appears that this "first message" is not even the same as the only message. All a Slack user needs is the email address of another Slack user, and they can repeatedly issue such "invitations" repeating the same harassment.

Just as there is nothing to stop them sending one harassing message, it appears that there is no way for a Slack user to block those emails from one sender permanently. There also is not presently a way for a user to opt out of the system.

Following the complaints, Slack walked back the change.

"After rolling out Slack Connect DMs this morning, we received valuable feedback from our users about how email invitations to use the feature could potentially be used to send abusive or harassing messages," Slack's Vice President Jonathan Prince, said in a statement. "We are taking immediate steps to prevent this kind of abuse, beginning today with the removal of the ability to customize a message when a user invites someone to Slack Connect DMs.

"Slack Connect's security features and robust administrative controls are a core part of its value both for individual users and their organizations," Prince added. "We made a mistake in this initial roll-out that is inconsistent with our goals for the product and the typical experience of Slack Connect usage. As always, we are grateful to everyone who spoke up, and we are committed to fixing this issue."

Updated March 24, 3:08 PM Slack has rolled back the change. It isn't clear when it will make a return, or in what form.

Comments

  • Reply 1 of 7
    flydogflydog Posts: 1,008member
    This article is incorrect. Slack Connect can be disabled, though is is enabled by default.

    Enable or disable Slack Connect for channels

    By default, members can work in channels with people outside your company. Owners and admins can enable or disable the option for members to share channels at any time. 

    Enable or disable Slack Connect for DMs

    By default, members can start direct messages (DMs) with people at other companies. Owners and admins can enable or disable Slack Connect for DMs at any time.

    https://www.cloudsavvyit.com/10312/how-to-disable-slack-connect/

    https://slack.com/intl/en-ca/help/articles/360050528953-Manage-Slack-Connect-settings-and-permissions-



    edited March 24 dewmeomar morales
  • Reply 2 of 7
    Mike WuertheleMike Wuerthele Posts: 6,266administrator
    flydog said:
    This article is incorrect. Slack Connect can be disabled, though is is enabled by default.

    Enable or disable Slack Connect for channels

    By default, members can work in channels with people outside your company. Owners and admins can enable or disable the option for members to share channels at any time. 

    Enable or disable Slack Connect for DMs

    By default, members can start direct messages (DMs) with people at other companies. Owners and admins can enable or disable Slack Connect for DMs at any time.

    https://www.cloudsavvyit.com/10312/how-to-disable-slack-connect/

    https://slack.com/intl/en-ca/help/articles/360050528953-Manage-Slack-Connect-settings-and-permissions-



    The article is correct. Individual users cannot opt out.
    dewme
  • Reply 3 of 7
    flydogflydog Posts: 1,008member
    flydog said:
    This article is incorrect. Slack Connect can be disabled, though is is enabled by default.

    Enable or disable Slack Connect for channels

    By default, members can work in channels with people outside your company. Owners and admins can enable or disable the option for members to share channels at any time. 

    Enable or disable Slack Connect for DMs

    By default, members can start direct messages (DMs) with people at other companies. Owners and admins can enable or disable Slack Connect for DMs at any time.

    https://www.cloudsavvyit.com/10312/how-to-disable-slack-connect/

    https://slack.com/intl/en-ca/help/articles/360050528953-Manage-Slack-Connect-settings-and-permissions-



    The article is correct. Individual users cannot opt out.

     Well then it's misleading since the organization that owns the account can in fact disable Slack Connect.

    Slack is not a personal service like your cell phone or personal email.  You get it through your organization, school, employer, etc.  

    Why would an employee have control over his company's settings?  If the company wants an employee to receive message from outside companies then the employee should receive them.  That's like saying an employee should be able to refuse phone calls on their company phone because some may be telemarketing or spam. 


    edited March 24 omar morales
  • Reply 4 of 7
    flydog said:
      That's like saying an employee should be able to refuse phone calls on their company phone because some may be telemarketing or spam. 

    I quite regularly let calls go to voicemail on my work phone. It's a great way to know what and how long to expect the return call with the client to be. 

  • Reply 5 of 7
    Mike WuertheleMike Wuerthele Posts: 6,266administrator
    flydog said:
    flydog said:
    This article is incorrect. Slack Connect can be disabled, though is is enabled by default.

    Enable or disable Slack Connect for channels

    By default, members can work in channels with people outside your company. Owners and admins can enable or disable the option for members to share channels at any time. 

    Enable or disable Slack Connect for DMs

    By default, members can start direct messages (DMs) with people at other companies. Owners and admins can enable or disable Slack Connect for DMs at any time.

    https://www.cloudsavvyit.com/10312/how-to-disable-slack-connect/

    https://slack.com/intl/en-ca/help/articles/360050528953-Manage-Slack-Connect-settings-and-permissions-



    The article is correct. Individual users cannot opt out.

     Well then it's misleading since the organization that owns the account can in fact disable Slack Connect.

    Slack is not a personal service like your cell phone or personal email.  You get it through your organization, school, employer, etc.  

    Why would an employee have control over his company's settings?  If the company wants an employee to receive message from outside companies then the employee should receive them.  That's like saying an employee should be able to refuse phone calls on their company phone because some may be telemarketing or spam. 


    You're welcome to believe what you want, in regards to "misleading."

    And in regards to your second complaint, I'm going to assume that you've never screened a call like mpschaefer above, or been harassed or SWATted as a result of your job, or through job-provided avenues of communication. If you aren't involved in customer service, you as an employee absolutely should have the ability to do so, and somebody reaching out through Slack for customer support is super-iffy.

    Some of us here have been involved in life-threatening abuse from Internet folks, including myself, because a YouTuber's fanbase took issue to me pointing out factual holes in a video of their idol's and decided to call the cops on me about it. While Slack's previous policy wouldn't have abated that, it is one less exploitable avenue.
    edited March 25 muthuk_vanalingam
  • Reply 6 of 7
    crowleycrowley Posts: 8,771member
    flydog said:
    flydog said:
    This article is incorrect. Slack Connect can be disabled, though is is enabled by default.

    Enable or disable Slack Connect for channels

    By default, members can work in channels with people outside your company. Owners and admins can enable or disable the option for members to share channels at any time. 

    Enable or disable Slack Connect for DMs

    By default, members can start direct messages (DMs) with people at other companies. Owners and admins can enable or disable Slack Connect for DMs at any time.

    https://www.cloudsavvyit.com/10312/how-to-disable-slack-connect/

    https://slack.com/intl/en-ca/help/articles/360050528953-Manage-Slack-Connect-settings-and-permissions-



    The article is correct. Individual users cannot opt out.

     Well then it's misleading since the organization that owns the account can in fact disable Slack Connect.

    Slack is not a personal service like your cell phone or personal email.  You get it through your organization, school, employer, etc.  

    Why would an employee have control over his company's settings?  If the company wants an employee to receive message from outside companies then the employee should receive them.  That's like saying an employee should be able to refuse phone calls on their company phone because some may be telemarketing or spam. 
    Huh? As an employee with a phone and an email account I'm perfectly able to block callers or email addresses that I consider junk without a change to organisation settings by my employer. That's pretty basic functionality.
  • Reply 7 of 7
    dewmedewme Posts: 3,834member
    This article was useful because it prompted me to review the settings on my Slack site to make sure nobody would be surprised. Thanks for the links Flydog.

    This is simply another case of good (and naive) intentions being crapped on by the reality of people behaving badly. At least it was snubbed out beforehand. Sigh...
Sign In or Register to comment.