Slack is pulling back the new DM feature added to its platform less than a day after its release. This is due to the concern that the new system could be exploited and people can send abusive or harassing messages to others with ease. The company's vice president, Jonathan Price, is thankful to receive feedback from its users and has taken immediate steps to prevent these kinds of abuse.
Slack Connect DMs is a feature that lets Slack users privately message employees inside and outside their company alongside an invite. It is designed to introduce working with new partners or clients, as well as message friends and other companies. The Connect DMs work by emailing a person a special link to start a conversation. However, this might require Slack admin approval, depending on how your organization has been programmed in Slack.
Slack Connect DM Issues
Twitter user @44 Menotti Minutillo raised the first concern that the feature was too easy to abuse by malicious individuals. The feature did not have any robust opt-out protections that prevent emails from being spammed to an individual.
Slack Connect bypasses any filters or protections users have placed in their inboxes. Appatently, with the new DM feature, a person sending an invitation link can include a personalized message to it--which is not hidden. While there is certainly no ill purpose to it, asthemessage perhaps is meant to be a way to properly introduce the person inviting, it can be used to send hate and other abusive messages.
well that was easy as shit to abuse— Menotti Minutillo (@44) March 24, 2021
- send invite with nasty language
- slack emails you w/ the full content of the invite
- can't block the emails because they come from a generic slack address that informs you of invites
- abuser can keep inviting w/ abusive language https://t.co/Mw9W5L251a pic.twitter.com/dWEAD7ccRO
Unfortunately, the receiver of the said email cannot easily filter this message out. This is because blocking Slack's direct email might filter out other important Slack emails.
For what it's worth, Tech Crunch reported that the DM feature is an opt-in, giving users a sense of discretion from indiscriminately sending messages to people inside their company. However, the individual user does not have active control over those who could DM them. Also, there is no filtering or monitoring in the message text body that could prevent someone from sending hateful messages. The list of abuses that Slack Connect DM could be exploited with involve: spam emails, sales cold calls, stalking, and harassment.
Fixing The Issue
The Verge talked with the company's vice president Jonathan Pierce and reported that Slack is doing some repairs to their system. Pierce said that Slack is taking steps to prevent this abuse, starting with the removal of customized messages in user invites from the Slack Connect DMs.
Update: I asked Slack what it made of all the worries about bullying and harassment made possible by Connect DMs. (I should have pushed harder on this sooner, too.) The company is making changes, starting with removing the customized messages from invitations pic.twitter.com/vbXV0QDSZV— David Pierce (@pierce) March 24, 2021
Pierce also mentioned that Slack Connect's security was built with robust administrative controls that take value for individual users and their organization's rights. As such, they are making amends for the program's lapses.
Slack Connect was designed as a premium feature for enterprise users, paying $8 per month (or $6.67 if you chose the annual plan) to enjoy certain administrative features to contact employees or new customers with ease. However, this feature could be intrusive, and exploiting it affects both free and premium users. Slack ensured that they are doing their best to maintain their communications platform as a safe and secure program.