Slack backtracked on the worst idea ever

Slack backtracked on the worst idea ever

Slack has now reversed its controversial decision to allow users to send messages to anyone else through Slack, even if they do not belong to the same private channel.

More precisely, the DM feature in Slack Connect has been tweaked to minimize the risk of harassment and abuse. Users can still invite outsiders to private conversations, but there is no longer an option to send a message in advance.

Slack Connect DMs is an invitation system that allows cross-channel communication. This means that people can communicate through Slack even though they are not members of the same private channel. As far as we know, that has not changed.

Initially, however, invitations could be sent out via written messages. Naturally, this could easily be abused to harass or send abusive comments to people at work. In particular, Slack does not include tools to block others or report abuse.

So Slack admitted its mistake and withdrew the original messaging feature.

"After rolling out Slack Connect DMs this morning, we received valuable feedback from users about the potential for email invitations to use this feature to be used to send abusive or harassing messages. To prevent such abuse, we are taking immediate action by removing the ability to customize messages for invitations to Slack Connect DMs, effective today," Jonathan Prince, vice president of communications policy at Slack, told The Verge.

"Slack Connect's security features and robust administrative controls are a core part of its value to both individual users and their organizations. We made a mistake in this initial rollout that was inconsistent with the goals of the product and the general experience of using Slack Connect. As always, we thank everyone who raised their voices and will do our best to resolve this issue."

Of course, there are still other concerns to worry about. Some of them have already been debunked online, such as the danger of users knowing which Slack channel they belong to if they accept an invitation; Slack told The Verge that users who accept invitations will only be able to see the Slack has confirmed to The Verge that invited users will only be able to see the channels to which they have been invited, and nothing else.

Another issue is that while individual companies as a whole can opt-in to Slack Connect, individuals have no such permissions. It is also not clear whether it is possible to disable this feature for individual members of an organization. Thus, users may be swamped with Slack Connect invitations with no way to turn them off.

While these messages may not have abusive messages attached, they could be a serious distraction if the wrong person (or people) decide to abuse these tools.

Additionally, there is the issue of which channel administrators have access to what; the Slack Plus plan stores everything unencrypted and allows channel administrators to access it if they wish. In a situation where two members of different organizations are sending messages via Slack Connect, there are two different teams of administrators who could potentially see what they are talking about. We have asked Slack to clarify this point.

Then there is also the risk of confidential company information being leaked. It is bad enough that an outside administrator could potentially see this, but companies talk about confidential matters in Slack. In fact, last year's Twitter hack, in which an authenticated account ended up tweeting the same cryptocurrency scam, only happened because hackers successfully broke into Twitter's Slack account and gained access to the company's tools.

Slack Connect DM, as the name implies, allows private messages to be sent between Slack channels. However, this is a potential security hole, and hackers are a brave bunch. Who knows what they might do.

Fortunately, Slack seems to be listening to criticism and making changes to Slack Connect when necessary. Reducing the risk of abuse is very important, but still only a superficial issue. There are other underlying issues that need to be addressed. One can only hope that it happens soon, without someone trying to swindle people out of their bitcoins while claiming to be Elon Musk.

.

Categories