Slack’s Security Updates Should Improve Message and Data Security


Slack, the online instant messaging and collaboration service that sells itself as a replacement for email, has introduced a host of new security features designed to make workplace communications safer.

The new features for the app’s 10 million daily users were added after a cybersecurity firm found a flaw for hackers to steal a company’s files and closely held data. The company fixed the vulnerability, but remember that nothing is 100% secure on the Internet.

Slack’s updated security features give administrators more powers to prevent outsidersOpens a new window accessing sensitive company information, and adds the possibility of two-factor fingerprint scanning, facial recognition software and generated passwords on mobile devices.

File downloads and attempts to copy messages onto unauthenticated devices can now be blocked. A whitelist tool limits which Slack workspaces can be accessed from a network, stopping employees from signing into other business’s Slack workspaces.

More measures will be released to the company’s Enterprise Grid service in the coming weeks to ensure that only authorized users and devices can access it.

The features include the ability to remotely wipe messages from an employee’s device in case of theft or loss and an option to select which browser can open Slack’s links.

Not the Whole Enchilada

But the new updates stop short short of offering end-to-end encryption. Some critics sayOpens a new window that means Slack can read your data, law enforcement can request it and hackers can steal it. WhatsApp, by contrast, provides end-to-end encryption.

Slack has doubled down on its decision to avoid encryption. Its executives say they have not seen significant customer demand for it. Beside, they say, encryption would degrade the app’s functionality.

But last year, Slack quietly opened up the Enterprise Key Management tool, a bolt-on to its Enterprise Grid, giving administrators the keys to encrypt their own messages and files. It was aimed at customers in heavily regulated sectors such as financial services, healthcare and government that require tighter security.

Just a few months ago, Slack scrambled to fix a security loopholeOpens a new window that would have allowed hackers to intercept files downloaded from the app’s Windows desktop version.

David Wells, a researcher with Tenable cybersecurity, said the bug would have allowed “all future downloaded documents by the victim to end up being uploaded to an attacker-owned file server until the setting is manually changed back by the victim.”

The attacker could not only steal any downloaded files but also could then modify them to include a malicious bug. “The options from there on,” Wells says, “are endless.”

The flaw was patched in Slack version 3.4.0.

Getting Better

The updates represent a big improvement in security. “These new features are designed for leaders who want to modernize and improve how their organizations work while maintaining compliance with their industry- or company-specific security policies,” Slack says in a blog postOpens a new window .

As Slack faces scrutiny over its security practices, the five-year-old company also is struggling to defend its market share from forays by Facebook and Microsoft.

Microsoft claims 13 million daily users run its Microsoft Teams service as part of their Office 365 suite – a statistic that caused Slack’s newly listed stock to drop 4% on one day in July.

Last week, Facebook launched a redesign of its Workplace platform for businesses to differentiate from its social media interface. It included automatic file scanning for malware, built-in live-streaming and employee safety checks.

Still, Slack chief executive Stewart Butterfield appears unconcerned. He told FortuneOpens a new window that Microsoft, for one, was “an incredible company” and its Azure cloud services, which Slack uses as a base for its own service, is “a great partner.”

“They’re big enough that they end up working with and competing with all kinds of people around the world,” says Butterfield. “Whatever Microsoft does, we’re still going to do the same thing for customers. It doesn’t really matter what Microsoft does.”