Organizations rush to restrict new Slack Connect feature fearing security threats
Work collaboration platform Slack formally announced today a new feature named Slack Connect DMs that allows users to send direct messages to any Slack user in any other organization.
Slack said it designed the feature to allow companies and their employees to easily connect with business partners through shared workspaces and direct DM capabilities among employees.
But several organizations have told The Record today that they've already disabled the feature or plan to do so in the coming days. This includes two security firms, an internet infrastructure company, and two small software makers, all of which cited major security concerns with Slack Connect.
The primary cited reason was the ability of complete strangers to reach out to their employees with invitations to private chats where they might attempt phishing or other social engineering attacks.
While the same attacks can be carried out by targeting employees via email, The Record was told that companies usually have full control over their email servers, where they can block attacks and let legitimate emails through, something they can't do on Slack for out-of-org DMs, where they only have on/off options.
All companies have now used settings provided by Slack to paying customers to restrict their employees' ability to start private conversations with users outside their primary Slack organization.>
Although the Slack Connect DM feature has its uses, security experts don't recommend enabling it unless strict access control lists are put in place to control which employees can participate in cross-organizational chats.
These controls are a must, especially when it comes to setting up which of a company's employees can receive out-of-org DMs.
As several security experts have pointed out today on Twitter, the feature could be abused not only for phishing, malware, or social engineering attacks but could also be abused to spam and harass users if left enabled for Slack rooms.
Slack Connect is a safety, privacy, and security nightmare— insecurity princess @[email protected] (@saraislet) March 24, 2021
While opt-in, there's still no block, and each opt-in request is a potential harassment attempt that can't be blocked
Short thread on additional app access concerns (e.g., Google Drive) https://t.co/OV1GZF5D9G
Furthermore, users are also questioning Slack's decision to enable this feature for all its users by default, which automatically exposes companies to new threats.
In addition, Slack Connect is also very likely to cause huge headaches for companies in regulated fields that need to manage data retention policies and where administrators need a clear picture if logged conversations are also available to other third-parties outside their organization, especially when employees discuss sensitive projects in DMs.
Heads up that slack also quietly enabled a direct message "slack connect" feature that seems to be a nightmare for anyone in a regulated environment in that it allows sharing files and connections by default. Unclear if any sort of approval is required?! https://t.co/SE7D1ZPJlk— jeff bryner (@0x7eff) March 18, 2021
Updated at 4pm ET to add that Slack has tweaked its Connect DM feature and will not allow anymore for users to customize the invite message text in order to prevent spam and harassment.
Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.