Last week Slack debuted its long-awaited “Connect” direct messaging feature, which allows users to send invites to other users via an email address. Within just a few days it was gone, pulled due to a technical oversight that created major security concerns.
Billed as a way for businesses to easily loop vendors and partners into discussions and to more quickly address customer concerns, the feature allows anyone who accepts an email invite to immediately begin interfacing with a company Slack without having to be given full access. A serious flaw in this email invite system is the source of the security concerns. The invites can contain customizable text (up to 560 characters), and Slack apparently did not put any real restrictions on what could be included. The Slack invite then generates from a generic email address, providing a means to slip through filters and becoming very difficult to block without also blocking other legitimate emails from the service.
At minimum, this created an opportunity for targeted harassment. At worst, it potentially opened up a route for phishing and malware enhanced by being delivered from a trusted source.