Mar 25, 2021 11:25:00

Slack's new feature 'Connect' turned out to be all-you-can-harass even non-Slack users and fixed with haste

On March 24, 2021 local time, Slack released a new feature, Slack Connect, that allows you to exchange direct messages with non-Slack users. This function is for the paid version that you can send and receive direct messages via your email address, but it turned out that you can effectively use it for harassment that you can send any email from Slack's server, and the official function is the same. Is being fixed.

Slack pledges update to “Connect DM” after realizing harassment exists | Ars Technica

https://arstechnica.com/information-technology/2021/03/slack-promises-to-update-easy-to-abuse-connect-dm-feature/

Slack quickly removes message invites in its new DM feature over harassment concerns --The Verge
https://www.theverge.com/2021/3/24/22348743/slack-connect-dm-abuse-harassment-disable-message-invite-response

Slack's newly released 'Slack Connect' allows you to easily start collaboration with people outside the company by simply entering the email address and enclosed message and sending it, and you can send an invitation email to the specified channel. New features for editions. Since it is an opt-in function (off by default), it is necessary to enable the setting on the administrator side to use it.

You can understand this new feature by reading 'Getting Started with Slack Connect' below.

Start Slack Connect | Slack
https://slack.com/intl/ja-jp/resources/using-slack/setting-up-a-shared-channel

The problem with this Slack Connect is that it's all-you-can-harass. As mentioned above, Slack Connect is a function that sends an invitation email to the email address you entered, but since it was OK to enter any content in the enclosed message, it is possible to send a harassment message. Furthermore, since the sender of the invitation email is '[email protected]', automatic filtering is also excluded, which is a very easy-to-use function.

well that was easy as shit to abuse

--send invite with nasty language
--slack emails you w / the full content of the invite
--can't block the emails because they come from a generic slack address that informs you of invites
--abuser can keep inviting w / abusive language https://t.co/Mw9W5L251a pic.twitter.com/dWEAD7ccRO

— Menotti Minutillo (@ 44) March 24, 2021

This harassment issue was pointed out and discovered by users shortly after the feature was released. On the other hand, Slack announced Slack Connect as of October 2020, so it has been criticized as 'Did you realize the possibility of harassing for about half a year?'

Slack has already changed the specification that allows you to freely enter the enclosed message, and changed it to the specification that only fixed phrases are enclosed. 'Thanks to everyone who raised their voices,' he said.