Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Email Security

New Slack Connect DM Feature Raises Security Concerns

Business communications platform Slack rushed to take action on Wednesday after customers raised security-related concerns regarding a new feature that allows users to send direct messages to any other Slack user.

Business communications platform Slack rushed to take action on Wednesday after customers raised security-related concerns regarding a new feature that allows users to send direct messages to any other Slack user.

The new direct message feature, officially launched on Wednesday, is part of the Slack Connect service, which is advertised by the company as an efficient way for organizations to communicate with partners, vendors and customers — basically an alternative for email. The new DM feature enables paying customers to “quickly and securely connect with anyone outside of [their] organisation” based on their email address.

“Simply send an invite to any partner, and start messaging in Slack as soon as the other side accepts, speeding up the work that often starts over back-and-forth emails. A salesperson can form a direct line of contact to prospects, or a customer service agent can triage an issue faster, without waiting for the other side to check their email,” Slack wrote in a blog post announcing the new feature.

Slack says more than 750,000 companies use its services, but only roughly 74,000 paying customers can currently initiate DMs. Customers using the service for free can participate in DMs, but they cannot initiate them. However, Slack does plan on expanding the feature to allow even customers on free plans to initiate DMs. The feature is enabled by default, but administrators can opt out, Slack says in its documentation.

The problem raised by many after the feature was announced was related to the customizable text that users could include in a Connect DM invite sent out to someone.

Some users pointed out how easily the feature could be abused to harass others. The text a user could add to an invitation was sent via email from a generic Slack email address. Blocking this Slack email address to stop receiving abusive messages would also mean blocking other, potentially important Slack messages.

Slack Connect DM abuse harassment

Hours later, Slack announced that — based on user feedback — it removed the ability to send custom messages when sending out invitations for Connect DMs.

“Slack Connect’s security features and robust administrative controls are a core part of its value both for individual users and their organizations. We made a mistake in this initial roll-out that is inconsistent with our goals for the product and the typical experience of Slack Connect usage. As always, we are grateful to everyone who spoke up, and we are committed to fixing this issue,” Slack said.

Advertisement. Scroll to continue reading.

Dirk Schrader, global VP of security research at New Net Technologies (NNT), a Florida-based provider of cybersecurity and compliance software, told SecurityWeek, “Product management is always about user experience, about features that help and support users in what they do with the product. This one falls into the ‘it’s compiled, roll it out’ category of not thinking twice about how a feature is potentially used by someone with malicious intent. This gaffe by Slack has been quickly identified and stopped, but puts some shadow on its roadmap process and the way features are selected and verified from all kinds of security aspects a user can be concerned of, including bullying.”

Some security experts also raised concerns about how the DM feature could be abused for phishing. And once the targeted user has accepted an invitation to connect, a bad actor could abuse file upload features to deliver malware.

While the DM feature can be useful, it could cause a lot of headaches for administrators and security teams.

“For many employees, Slack is seen as a trusted communication zone. This [feature] changes that for orgs,” said Rachel Tobac, CEO of SocialProof Security, a company that provides social engineering and hacking training. “If those outside the trusted space have access, it’s now an attack option. As a pentester I used to use more spoofable comms like email, SMS, & phone to attack & now I’ll try Slack too.”

“This is a lot of work on Slack admins to manage which DMs/channels are allowed or available. For instance, I’m added to an org’s internal slack for 1 project — still have limited access but I can add others & the admin has to approve. This will increase admin fatigue & mistakes,” she added.

“I’ll be watching this new Slack feature closely to see how cyber criminals use it to send malware to folks within orgs, and how it’s leveraged in phishing,” Tobac said.

Oliver Tavakoli, CTO at Vectra, a San Jose, Calif.-based provider of technology which applies AI to detect and hunt for cyber attackers, also commented on the topic.

“When a collaboration platform adds features which extend beyond a single organization’s boundary, a complex set of issues inevitably arise. Email has historically been the primary channel for such interactions and we have spent the last couple of decades adding checks for inappropriate content, phishing, malware, etc. to that channel. Slack’s decision to enable such a channel without any of those controls in place appears to have totally ignored this historical context,” Tavakoli told SecurityWeek.

*updated to clarify that while Slack Connect DMs can be used by customers on both free and paid plans, only users on paid plans can currently initiate DMs. 

Related: Slack Outage Causing Enterprise Security Hiccups

Related: Slack Pays Bounty for Critical Vulnerability in Desktop App

Related: Slack Vulnerability Allowed Hackers to Hijack Accounts

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...