Security Experts:

New Slack Connect DM Feature Raises Security Concerns

Business communications platform Slack rushed to take action on Wednesday after customers raised security-related concerns regarding a new feature that allows users to send direct messages to any other Slack user.

The new direct message feature, officially launched on Wednesday, is part of the Slack Connect service, which is advertised by the company as an efficient way for organizations to communicate with partners, vendors and customers — basically an alternative for email. The new DM feature enables paying customers to “quickly and securely connect with anyone outside of [their] organisation” based on their email address.

“Simply send an invite to any partner, and start messaging in Slack as soon as the other side accepts, speeding up the work that often starts over back-and-forth emails. A salesperson can form a direct line of contact to prospects, or a customer service agent can triage an issue faster, without waiting for the other side to check their email,” Slack wrote in a blog post announcing the new feature.

Slack says more than 750,000 companies use its services, but only roughly 74,000 paying customers can currently initiate DMs. Customers using the service for free can participate in DMs, but they cannot initiate them. However, Slack does plan on expanding the feature to allow even customers on free plans to initiate DMs. The feature is enabled by default, but administrators can opt out, Slack says in its documentation.

The problem raised by many after the feature was announced was related to the customizable text that users could include in a Connect DM invite sent out to someone.

Some users pointed out how easily the feature could be abused to harass others. The text a user could add to an invitation was sent via email from a generic Slack email address. Blocking this Slack email address to stop receiving abusive messages would also mean blocking other, potentially important Slack messages.

Slack Connect DM abuse harassment

Hours later, Slack announced that — based on user feedback — it removed the ability to send custom messages when sending out invitations for Connect DMs.

“Slack Connect’s security features and robust administrative controls are a core part of its value both for individual users and their organizations. We made a mistake in this initial roll-out that is inconsistent with our goals for the product and the typical experience of Slack Connect usage. As always, we are grateful to everyone who spoke up, and we are committed to fixing this issue,” Slack said.

Dirk Schrader, global VP of security research at New Net Technologies (NNT), a Florida-based provider of cybersecurity and compliance software, told SecurityWeek, “Product management is always about user experience, about features that help and support users in what they do with the product. This one falls into the ‘it's compiled, roll it out’ category of not thinking twice about how a feature is potentially used by someone with malicious intent. This gaffe by Slack has been quickly identified and stopped, but puts some shadow on its roadmap process and the way features are selected and verified from all kinds of security aspects a user can be concerned of, including bullying.”

Some security experts also raised concerns about how the DM feature could be abused for phishing. And once the targeted user has accepted an invitation to connect, a bad actor could abuse file upload features to deliver malware.

While the DM feature can be useful, it could cause a lot of headaches for administrators and security teams.

“For many employees, Slack is seen as a trusted communication zone. This [feature] changes that for orgs,” said Rachel Tobac, CEO of SocialProof Security, a company that provides social engineering and hacking training. “If those outside the trusted space have access, it’s now an attack option. As a pentester I used to use more spoofable comms like email, SMS, & phone to attack & now I’ll try Slack too.”

“This is a lot of work on Slack admins to manage which DMs/channels are allowed or available. For instance, I’m added to an org’s internal slack for 1 project — still have limited access but I can add others & the admin has to approve. This will increase admin fatigue & mistakes,” she added.

“I’ll be watching this new Slack feature closely to see how cyber criminals use it to send malware to folks within orgs, and how it’s leveraged in phishing,” Tobac said.

Oliver Tavakoli, CTO at Vectra, a San Jose, Calif.-based provider of technology which applies AI to detect and hunt for cyber attackers, also commented on the topic.

“When a collaboration platform adds features which extend beyond a single organization’s boundary, a complex set of issues inevitably arise. Email has historically been the primary channel for such interactions and we have spent the last couple of decades adding checks for inappropriate content, phishing, malware, etc. to that channel. Slack’s decision to enable such a channel without any of those controls in place appears to have totally ignored this historical context,” Tavakoli told SecurityWeek.

*updated to clarify that while Slack Connect DMs can be used by customers on both free and paid plans, only users on paid plans can currently initiate DMs. 

Related: Slack Outage Causing Enterprise Security Hiccups

Related: Slack Pays Bounty for Critical Vulnerability in Desktop App

Related: Slack Vulnerability Allowed Hackers to Hijack Accounts

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.