Security News > 2021 > March > New Slack Connect DM Feature Raises Security Concerns
Business communications platform Slack rushed to take action on Wednesday after customers raised security-related concerns regarding a new feature that allows users to send direct messages to any other Slack user.
The new direct message feature, officially launched on Wednesday, is part of the Slack Connect service, which is advertised by the company as an efficient way for organizations to communicate with partners, vendors and customers - basically an alternative for email.
"Simply send an invite to any partner, and start messaging in Slack as soon as the other side accepts, speeding up the work that often starts over back-and-forth emails. A salesperson can form a direct line of contact to prospects, or a customer service agent can triage an issue faster, without waiting for the other side to check their email," Slack wrote in a blog post announcing the new feature.
Slack does plan on expanding the feature to allow even customers on free plans to initiate DMs. The feature is enabled by default, but administrators can opt out, Slack says in its documentation.
Hours later, Slack announced that - based on user feedback - it removed the ability to send custom messages when sending out invitations for Connect DMs. "Slack Connect's security features and robust administrative controls are a core part of its value both for individual users and their organizations. We made a mistake in this initial roll-out that is inconsistent with our goals for the product and the typical experience of Slack Connect usage. As always, we are grateful to everyone who spoke up, and we are committed to fixing this issue," Slack said.
Dirk Schrader, global VP of security research at New Net Technologies, a Florida-based provider of cybersecurity and compliance software, told SecurityWeek, "Product management is always about user experience, about features that help and support users in what they do with the product. This one falls into the 'it's compiled, roll it out' category of not thinking twice about how a feature is potentially used by someone with malicious intent. This gaffe by Slack has been quickly identified and stopped, but puts some shadow on its roadmap process and the way features are selected and verified from all kinds of security aspects a user can be concerned of, including bullying."