Last week Slack debuted its long-awaited “Connect” direct messaging feature, which allows users to send invites to other users via an email address. Within just a few days it was already in need of major repairs due to a technical oversight that created major security concerns.
Billed as a way for businesses to easily loop vendors and partners into discussions and to more quickly address customer concerns, the feature allows anyone who accepts an email invite to immediately begin interfacing with a company Slack without having to be given full access. A serious flaw in this email invite system is the source of the security concerns. The invites can contain customizable text (up to 560 characters), and Slack apparently did not put any real restrictions on what could be included. The Slack invite then generates from a generic email address, providing a means to slip through filters and becoming very difficult to block without also blocking other legitimate emails from the service.
At minimum, this created an opportunity for targeted harassment. At worst, it potentially opened up a route for phishing and malware enhanced by being delivered from a trusted source.
Security concerns send Slack DMs back to the drawing board
Slack Connect is meant to be an alternative to use of emails outside of the platform, connecting customers and partners to the company’s established communications systems without lengthy back-and-forth messaging. Once an invite is accepted, the two users are able to directly message on the platform. The full functionality of this service is only available to the roughly 1/10th of the Slack customer base on paid plans (about 74,000 organizations) initially, though Slack has announced that it has plans to eventually roll out the ability to both initiate and participate in DMs to free users. The feature was enabled by default for paid accounts, but with the ability to opt out.
Social media users quickly noticed that Slack was not filtering the custom text that could be added to the Connect DM invitations, nor did it seem to be limiting the amount that could be sent. The only thing that would make this more of a dream feature for spammers and harassers would be the ability to attach files. While that is not possible when sending an invite, it is possible to direct a target to a channel containing malware or one that hosts links to attack sites.
In response to user feedback about these security concerns, Slack temporarily disabled the ability to add custom text to invitations. A report from TechCrunch indicates that the messaging feature has also been made opt-in due to the security concerns. An organization IT admin will need to enable the Slack Connect DM feature, and can also limit the ability to receive DMs to only verified organizations (or just disable message receipt entirely). Slack also put out the following public message regarding the security concerns: “Slack Connect’s security features and robust administrative controls are a core part of its value both for individual users and their organizations. We made a mistake in this initial roll-out that is inconsistent with our goals for the product and the typical experience of Slack Connect usage. As always, we are grateful to everyone who spoke up, and we are committed to fixing this issue.”
While this particular mistake was corrected fairly quickly and without any apparent damage, it could harm consumer confidence in Slack’s reputation as an internal organization “safe zone” and its planned new features. Aside from being free to use and functional, Slack has become a leading collaboration tool due in part to the perception that it is safe and that communications are tightly sealed off to the outside world. Security professionals have generally seen it as a low-maintenance addition to the company’s bench of cloud-based tools, not needing to expend any significant amount of extra time and effort to keep it secure. At minimum, security teams will now need to take some time out to review any new features that Slack adds that create the possibility of outside parties accessing internal organization spaces or leveraging it as an attack vector.
Heightened security concerns as phishing attempts spiked in 2020
This is a particularly bad time for security concerns to develop given the general spike in cyber crime corresponding with increased remote work and moves to cloud-based services. Phishing attempts spiked by over 300% in 2020, particularly targeted attacks against mobile devices where recipients are not necessarily paying as much attention when messages appear to be coming from trusted sources. Slack is not without its prior issues in this area. One longstanding shortcoming of the platform is that it does not have end-to-end encryption, something that Slack has rejected based on claims that it would limit functionality. The company has experienced data breaches in the past, including one in 2017 that allowed attackers to steal authentication tokens. And in February, Android users were asked to reset their passwords after it was found that they had been stored in plain text in an internal document for a month.
Devin Redmond, CEO and co-founder of Theta Lake, speculates that while these security concerns may cause some reputational damage for Slack they are not likely to scare organizations into forbidding use of it or attempt to create more secure customized versions: “Slack’s new Connect direct messaging is compelling communication functionality for individuals and their organizations. Although some may see compliance and potential for security risks by allowing direct messages between individuals across any organization versus the traditional boundary of Slack messages between employees and within the organization, Slack has been mature in their thinking here. Outside of their own capabilities, Slack has built a robust ISV partner ecosystem with certified integration partners to handle an organizations’ need to protect users and data in any Slack communication … Apps like WhatsApp and WeChat have been a tough area for financial services firms and the compliance requirements they have to adhere to… Basically, those apps were built as consumer centric without the thought of what a business has to do to prove and ensure that their communications with consumers are safe and that their communications with their peers and partners have no scenarios of data leakage or collusion. The result for those organizations is that they have had to either create and enforce manual policies telling employees they cannot use those direct message apps for any business purpose or they have to build limited and highly customized versions of WhatsApp or WeChat for just their employees to try and enable some of the needed compliance functionality. The bottom line is they were not friendly to compliance and the compliance driver to protect customers and consumers. With that example in mind, Slack’s approach to providing safety and compliance has been fundamentally different and oriented towards providing the capabilities organizations need to make sure their employees, partners, and customers are safe and abiding by the regulations designed to protect them from data theft and malfeasance when they communicate.”
(Ed. note: Wording of this article has been updated to better reflect that the feature had functionality disabled due to a serious security oversight rather than being removed entirely.)