Skip to main content

Slack just backtracked on the worst idea ever

Slack connect dms backtrack
(Image credit: Shutterstock)

Slack has now reversed its controversial decision to let users message anyone else via Slack, even if they aren’t part of the same private channel.

Or more accurately the company has fine-tuned the Slack Connect DMs feature to minimize the risk of harassment and abuse. Users will still be able to invite outsiders to join them in a private conversation, but now there’s no option to send any messages beforehand.

Slack Connect DMs is an invite system that enables cross-channel communication. That means people could communicate with each other through Slack, despite not being members of the same private channel, but only if they both agreed to it first. That’s not changing, as far as we can tell.

Initially, however, those invites could go out with a written message. Naturally, this could easily be exploited to harass people at work or send them abusive messages. Particularly since Slack does not include tools to block other people or report abuse. 

See more

So Slack has admitted its mistake and backtracked on the initial messaging feature.

“After rolling out Slack Connect DMs this morning, we received valuable feedback from our users about how email invitations to use the feature could potentially be used to send abusive or harassing messages. We are taking immediate steps to prevent this kind of abuse, beginning today with the removal of the ability to customize a message when a user invites someone to Slack Connect DMs,” Jonathan Prince, Slack’s vice president of communications and policy, told The Verge.

“Slack Connect’s security features and robust administrative controls are a core part of its value both for individual users and their organizations. We made a mistake in this initial roll-out that is inconsistent with our goals for the product and the typical experience of Slack Connect usage. As always, we are grateful to everyone who spoke up, and we are committed to fixing this issue.”

There’s more to worry about than abuse

Of course, there are still other concerns to worry about. Some of them have already been debunked online, like the risk of people able to see which Slack channels a user is part of when they accept an invite. Slack has confirmed to The Verge that users receiving invites will only be able to see which channel they’re being invited to, and nothing else.

There’s also the problem that whole individual companies will be able to opt-in to Slack Connect, individuals have no such power. It’s also not clear whether it’s possible to disable the feature for individual members of an organization. So users may find themselves bombarded with Slack Connect invitations, with no way to turn them off.

Those messages may not come with abusive messages attached, but they could prove to be a serious distraction if the wrong person (or people) decided to exploit those tools.

See more

Plus there’s the problem of which channel admins have access to what. Slack Plus plans store everything, without encryption, and make it accessible by channel admins if they wish. In a situation where two members of different organizations are sending messages via Slack Connect, there are two different admin teams that may be able to see what they’re saying. We’ve asked Slack to clarify this point.

Then there’s the risk of exposing sensitive company information. It’s bad enough if outside admins could potentially see this, but companies do talk about sensitive stuff in Slack. In fact, last year’s Twitter hack, which led to verified accounts tweeting out the same cryptocurrency scam, only happened because the hacker managed to infiltrate Twitter’s Slack account and gain access to company tools.

Slack Connect DMs are what the name suggests, and just let people send private messages between Slack channels. But it is a potential security hole, and hackers are an intrepid bunch. Who knows what they might be able to get up to.

Fortunately, Slack seems willing to listen to criticism and will make changes to Slack Connect where needed. Reducing the risk for abuse is very important, but it’s still only a surface-level problem. There are other issues underneath that need to be addressed as well. Let’s just hope it will happen soon, and without someone claiming to be Elon Musk while trying to fleece you out of Bitcoin.