Slack rolled out a new cross-organizational direct messaging feature, and hours later disabled the option to send a message alongside an invite due to concerns that the feature could be used to send abusive messages or enable harassment.
According to TechCrunch, with Connect DMs, "employees at more than 74,000 organizations and counting can now securely direct message anyone – inside or outside their company.” The feature is opt-in, not opt-out, and if the IT admins don’t turn the feature on, their users won’t be able to either send or receive DMs through the new system, TechCrunch reports.
According The Verge, Twitter employee Menotti Minutillo was the first to raise concerns about Slack Connect DMs, noting the feature lacked opt-out protections for individual users, meaning someone could send a hateful message, or harass an individual through the feature. Other users highlighted that the "DM anyone" plan was intrusive.
Jonathan Prince, the company’s vice president of communications and policy, told The Verge, "“After rolling out Slack Connect DMs this morning, we received valuable feedback from our users about how email invitations to use the feature could potentially be used to send abusive or harassing messages. We are taking immediate steps to prevent this kind of abuse, beginning today with the removal of the ability to customize a message when a user invites someone to Slack Connect DMs.”
“Slack Connect’s security features and robust administrative controls are a core part of its value both for individual users and their organizations. We made a mistake in this initial roll-out that is inconsistent with our goals for the product and the typical experience of Slack Connect usage. As always, we are grateful to everyone who spoke up, and we are committed to fixing this issue," Prince said.
Oliver Tavakoli, CTO at Vectra, a San Jose, Calif.-based provider of technology which applies AI to detect and hunt for cyberattackers, says, "When a collaboration platform adds features which extend beyond a single organization’s boundary, a complex set of issues inevitably arise. Email has historically been the primary channel for such interactions and we have spent the last couple of decades adding checks for inappropriate content, phishing, malware, etc. to that channel. Slack’s decision to enable such a channel without any of those controls in place appears to have totally ignored this historical context."
According to Brandon Hoffman, Chief Information Security Officer at Netenrich, a San Jose, Calif.-based provider of IT, cloud, and cybersecurity operations and services, "In today’s current climate, privacy is becoming paramount. Slack did have a mishap in providing a way to bypass privacy and some security related concerns, however, they responded quickly to remove them. While privacy and security are not the same thing, they do tend to go hand in hand. Therefore, a privacy workaround may prove to provide security workarounds as well. It is critical that technology providers at all levels work diligently to ensure privacy concerns are addressed. The onus of this effort is more so on technology providers of collaboration and communications technology such as it is with social media platforms."
Dirk Schrader, Global Vice President, Security Research at New Net Technologies (NNT), a Naples, Florida-based provider of cybersecurity and compliance software, says, "Product management is always about user experience, about features that help and support users in what they do with the product. This one falls into the ‘its compiled, roll it out’ category of not thinking twice about how a feature is potentially used by someone with malicious intent. This gaffe by Slack has been quickly identified and stopped, but puts some shadow on its roadmap process and the way feature are selected and verified from all kinds of security aspects a user can be concerned of, including bullying.”