Earlier today, Slack began rolling out a new feature that allowed paid users to send a direct message to any other Slack user as long as they had their email address. The company is now disabling the option to send someone a message with an invite to chat after several individuals and publications like The Verge highlighted the potential to use it for harassment.
"We are taking immediate steps to prevent this kind of abuse, beginning today with the removal of the ability to customize a message when a user invites someone to Slack Connect DMs," Jonathan Prince, Slack's VP of communications and policy, told The Verge. "We made a mistake in this initial roll-out that is inconsistent with our goals for the product and the typical experience of Slack Connect usage."
well that was easy as shit to abuse
- send invite with nasty language
- slack emails you w/ the full content of the invite
- can't block the emails because they come from a generic slack address that informs you of invites
- abuser can keep inviting w/ abusive language https://t.co/Mw9W5L251a pic.twitter.com/dWEAD7ccRO
— Menotti Minutillo (@44) March 24, 2021
Twitter employee Menotti Minutillo first highlighted the potential loophole left open by Slack Connect DMs. The feature, which Slack envisioned as a way for people across different organizations to connect, didn't give individuals an easy way to opt out. Making matters worse, Slack forwarded the invites and any accompanying message using its email@example.com address, which meant you couldn't filter the messages through your email client without blocking important notifications from Slack and your organization.
Granted, if you already had someone's email, you could just as easily send them abusive messages that way or harass them on any number of other platforms. But it's exactly these types of loopholes you expect a company like Slack to account for and test when they introduce new features.