Earlier today, Slack began rolling out a new feature that allows paid users to send a direct message to any other Slack user provided they have their email address. The company now disables the option to message someone with an invite to chat after multiple people and posts such as The edge pointed out the possibility of using it for harassment.
“We are taking immediate action to prevent this type of abuse, starting today with the removal of the ability to personalize a post when a user invites someone to join Slack Connect DMs,” said Jonathan Prince, Vice President of Communications and Policy at Slack. The edge. “We made a mistake during this initial deployment which is inconsistent with our goals for the product and the typical experience of using Slack Connect.”
Well it was easy as shit to abuse
– send an invitation with nasty language
– loose emails to you with the full content of the invitation
– cannot block emails because they come from a generic secondary address that notifies you of invitations
– the abuser may continue to invite with abusive language https://t.co/Mw9W5L251a pic.twitter.com/dWEAD7ccRO
– Menotti Minutillo (@ 44) March 24, 2021
Twitter employee Menotti Minutillo first pointed out the potential loophole left by Slack Connect’s DMs. This feature, which Slack envisioned as a way for people from different organizations to log in, did not make it easy for individuals to opt out. To make matters worse, Slack forwarded invitations and any accompanying messages using their firstname.lastname@example.org address, which meant you couldn’t filter messages through your email client without blocking important notifications from Slack and of your organization.
Granted, if you already have someone’s email, you can just as easily send them abusive messages this way or harass them on a number of other platforms. But these are exactly the types of loopholes you would expect a company like Slack to consider and test when it introduces new features.