Slack’s move to open up DMs is a slow motion car crash.
Slack said today that it will let users “securely connect with anyone outside of your organisation with Slack Connect direct messages” — in short, open up DMs to external parties — in a move that had drawn an immediate and vociferous backlash from users concerned about harassment, cybersecurity, and spam.
“Being able to message anyone in Slack is going to jump-start new customer connections, enabling us to kick off sales opportunities and start critical conversations earlier,” said Stripe’s Head of Global Product Sales James Dyett in a grab-quote cheerfully deployed by Slack in a post on the announcement.
And that, for many, is the fear.
Slack gets used in various ways but a primary one for many enterprises remains as an internal collaboration tool.
The company — bought by Salesforce for $27.7 billion — has been working for some time to try and further displace email use by offering the ability to collaborate with other organisations via its “Slack Connect” offering of shared channels. And the steady roll-out of broader inter-organisation collaboration tools makes sense for the company as it aims to take more market share from Teams and Ye Olde Fashioned Email, but by opening up DMs (via invitation) to third-parties using Slack Connect DMs, a vision of endless sales pitches, job offers, and phishing campaigns rears its ugly head in the imagination of many. (Slack Connect DMs is GA today for paid users.)
See also: From Infection Monkey to BloodHound, check out these enterprise-ready free security tools
“Amazing! I’m excited to see the tutorial on how to permanently disable this for my org” was among the typical responses via Twitter on the launch. HashiCorp founder was blunter: “Took about 4 hours for our security & IT team to disable Slack ‘Connect DMs. We don’t need a shittier version of email to exist in probably the worst email client imaginable without any of the security tools to protect employees. Hard pass.”
And an immediate backlash over the potential for harrassment saw Slack promptly apologise: “After rolling out Slack Connect DMs this morning, we received valuable feedback from our users about how email invitations to use the feature could potentially be used to send abusive or harassing messages. We are taking immediate steps to prevent this kind of abuse, beginning today with the removal of the ability to customize a message when a user invites someone to Slack Connect DMs”, said Jonathan Prince, VP of Communications and Policy.
He added: “We made a mistake in this initial roll-out that is inconsistent with our goals for the product and the typical experience of Slack Connect usage. As always, we are grateful to everyone who spoke up, and we are committed to fixing this issue.”
Critically, the offering also appears to be on by default.
Security experts say opt-in, not opt-out should be the default setting.
As Hacker & CEO Rachel Tobac of SocialProof Security noted on Twitter: “For many employees, Slack is seen as a trusted communication zone. This changes that for orgs. If those outside the trusted space have access, it’s now an attack option. As a pentester I used to use more spoofable comms like email, SMS, & phone to attack & now I’ll try Slack too… This will increase admin fatigue & mistakes. Lots of folks mentioning that admins can opt-out. Good that this isn’t mandatory but I firmly believe trust zone changes like this should be opt-in, not opt-out. Bake privacy and security in by design here, don’t increase errors and issues by making opt-in the default.”
“I’m hearing from colleagues at Slack that significant proportions of people on the product teams involved were opposed to this and were then essentially overruled by a product executive” another observer noted.
Slack thinks the shift from email to its own channels will massively reduce phishing attacks by default, as “unlike email, teams receive communications only from verified members in Slack channels.”
And apropos concerns that administrators across organisations will now be able to see DMs, Slack told The Stack: “Administrators can see that there is a relationship between their organization and another via the Connections view. The same controls an administrator has put in place for Slack Connect channels shared with external organizations applies to Slack Connect DMs.” (See Slack’s guidance for administrators here.)
“Soon, admins will also be able to restrict the behaviours of members from partner organisations, such as inviting others and installing apps”, the company notes in its release blog, adding that it is “building industry-standard malware protection and link scanning, where malicious activity is automatically prevented.”