Silicon Valley-based workplace communications giant Slack recently unveiled Connect DM that allows users to connect with people outside their company’s framework. However, the feature had to be deactivated hours after it was rolled out when malicious actors exploited a flaw and bombarded users with abusive messages.
In October last year, Slack rolled out its new Connect DM feature, enabling users to connect with partners and vendors outside their organization. Thanks to this feature, users could connect with others by sending email invites along with optional personal messages to give invitees an all-access pass to their company’s Slack interface.
However, in a bid to allow its users to loop in people outside their team, Slack overlooked a vital security concern. Several social media users reported that the 560-character custom message had no filters or restrictions, and the email invite could be generated from a standard email address. Any malicious attacker could exploit this loophole and send malware, masked as conversation from trusted sources. This flaw led to disastrous consequences, leaving employees vulnerable to abusive content from outsiders.
Slack does not feature an end-to-end encryption, as the company believes it would limit its functionality. So organizations using the platform cannot be verified. And here comes the paradox – when its new feature allows people to send DMs with potentially harmful messages, there is no way for recipients’ to know if the source is trusted or not.
Learn More: Â Zoom’s New Video SDK to Let Developers Embed Videos Within New Apps
Slack Back on Drawing Board to Fix the Flaw
After complaints about abusive messages via the custom messaging feature mounted worldwide, Slack hurriedly withdrew Connect DM, issuing a quick apology for its customers.Â
“We are taking immediate steps to prevent this kind of abuse,†said Jonathan Prince, vice president of communications and policy at Slack. “We made a mistake in this initial rollout that is inconsistent with our goals for the product and the typical experience of Slack Connect usage.â€
When it was first announced, Slack Connect DM was only intended to be an add-on to its premium services, available to a tenth of its customer base. The feature was enabled by default for paid accounts, but they do have the option to opt-out. The company plans it to roll out for free users in the future as well.
Analysts believe that this mistake will not affect Slack’s reputation. The company has already built credibility with 12 million daily active users and has integrated several business tools like Google Drive, GitHub, Asana, Zapier, and Salesforce. Some of these tools are built into the Slack platform, offering a unified communication platform to users.
Learn More: Fuze Offers One-Click Seamless Switching Across Top Meeting Solutions
Slack was founded in 2009 by the founders of Ludicorp as a gaming software company. However, after recalling its debut game Glitch, the company soon became popular for its real-time collaboration service. It was publicly launched in 2014 and grew at a rate of 5-10% a week in its first year. It is commonly used as an intra-organizational communication tool, an easy and faster alternative to formal emails.
This wasn’t the only security incident Slack had to negotiate this month. Last week, the company said that a security flaw led to a bug that logged credentials in plain text and affected a small subset of its Android users who had entered their password between 11th January 2021 and 20th January 2021. After discovering the bugOpens a new window , the company quickly reset the password of all affected users.
“Slack took this step in an abundance of caution, even though the risk of exposure of these logged passwords was very low and there is no evidence of any unauthorized or third-party access to affected accounts. The passwords were logged to the local device logs that are only visible to the Slack app on the device. On a properly operating Android device, there is no risk that any other apps could view these logs,†the company said.
Let us know if you liked this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!