This week Slack Messenger developers announced a new Connect DM feature that allows sending messages directly to any Slack user in any organization. The developers positioned it as a new and convenient way to communicate with business partners.However, users and cybersecurity experts did not like the new functionality included by default. The fact is that even if the user has Connect DM disabled, he will still receive email notifications and messages from everyone who tried to contact him, including random people who may abuse this feature to just send someone a portion of insults.
Even worse, outsiders were suddenly able to speak directly to employees of any company and invite them to private chats, where they could be subjected to phishing attacks and suffer from social engineering.
The community’s reaction was immediate. For example, on Twitter, several security experts wrote that this function can be abused not only for phishing or spreading malware, it can also be used to send spam and harass specific people. The problem is that users did not have any mechanisms to block such messages and even the ability to report abuse to the administrator.
Because of this, companies began to massively disable Connect DM, and information security specialists advised using this function only in conjunction with strict access control lists that allow you to control which employees can participate in interorganizational chats.
The Vice Motherboard contacted the Slack representatives and asked what they intend to do with the problems that have arisen.
The company admitted that they made a mistake:
At the same time, a Slack spokesman refused to say whether the company plans to finalize Slack Connect DM as a whole and, for example, add a much-needed blocking feature. The company said that the Trust&Safety team has been operating in Slack since 2016, but Slack disclaims responsibility for moderating its platform, shifting it to the companies that use it.
Let me remind you that Researcher discovered vulnerability in Telegram, which allows to locate user.