Last week Slack debuted its long-awaited “Connect” direct messaging feature, which allows users to send invites to other users via an email address. Within just a few days it was gone, pulled due to a technical oversight that created major security concerns.

Billed as a way for businesses to easily loop vendors and partners into discussions and to more quickly address customer concerns, the feature allows anyone who accepts an email invite to immediately begin interfacing with a company Slack without having to be given full access. A serious flaw in this email invite system is the source of the security concerns. The invites can contain customizable text (up to 560 characters), and Slack apparently did not put any real restrictions on what could be included. The Slack invite then generates from a generic email address, providing a means to slip through filters and becoming very difficult to block without also blocking other legitimate emails from the service.

logo black 180

At minimum, this created an opportunity for targeted harassment. At worst, it potentially opened up a route for phishing and malware enhanced by being delivered from a trusted source.


Read the Full Article Here.

Devin Redmond

Author Devin Redmond

Devin has more than 2 decades of experience in enterprise risk and compliance. The former CEO and Co-Founder of Nexgate, a pioneer in social and digital media compliance and security acquired by Proofpoint (PFPT) in 2014, he also held executive and leadership roles at Check Point, Neoteris, Websense, and more. In addition to living in 7 countries and speaking 3 languages, Devin is a frequent public speaker that is passionate about modern digital risk and compliance technology that helps businesses gain a competitive advantage.

More posts by Devin Redmond