Popular corporate messaging service Slack today addressed reports of a security flaw that reveals the internal team names of its high-profile customers, including Apple, Google, Twitter, Microsoft, and Mozilla. According to Slack, this isn’t a security flaw at all but a “feature” that companies can turn on and off manually.
In response to security concerns raised today, Slack acknowledged the oversight in a statement, saying it will clarify its language “so it’s very clear to team owners and administrators that team names are discoverable in this manner.” Slack also says it is already “communicating to our users how they can change this setting or any of their team names.”
This “feature” was first introduced in August, and was called a “tradeoff between usability & keeping the team names a secret” by Slack.
The issue above exists in part due to Slack’s on-boarding process, which suggests internal groups to anyone who enters a company email address. For example, anyone can attempt to sign up as “firstname.lastname@example.org” on Slack.com and view team names that could reveal private company strategies.
Here’s Slack’s statement on the matter, in full:
We understand that there is concern that people attempting to sign in to a Slack team were able to see all the teams associated with a particular email domain, even when the user was unauthenticated. There has been a good deal of confusion about this and we’d like to clarify.
The ability to view team names that relate to a particular team’s
email domain or individual’s email address is a feature designed to
make it easy for our users to find and access teams. Many people who use Slack have team discovery via email domain enabled. This is a setting that the team owner and administrators control. It allows anyone using a particular email domain to see all the teams that have enabled the self-signup process for that domain. The majority of Slack users see these screens when they sign in.
To break this down a bit more: when a team is created, team owners have the option to allow anyone using a particular email domain (for example: anyone@MyCompanyNameHere.com) to view and sign up to join that team. Alternately, team owners can set the preference more narrowly so that people can join by invitation only, which does not make the team name visible to everyone at that domain. These settings can be changed at any time by team owners.
As companies have added more and more Slack teams, we’ve realized that this sign in process, designed to make team communication faster and easier, has itself become cumbersome for many. We have been working on updating our sign in process to address this, as well as adding support for single sign-on (SSO) and other improvements to streamline the sign in process. We are working hard to push those changes out quickly, which will address this issue in a holistic way.
In the meantime, we are clarifying our language about this setting so it’s very clear to team owners and administrators that team names are discoverable in this manner and are communicating to our users how they can change this setting or any of their team names.
At Slack we pride ourselves on listening to our users and and being as quick to respond as we can. We also want to take the time to make sure we understand a concern so we can address it properly and thoroughly. We take security seriously and encourage all security researchers to use our responsible disclosure policy, which is outlined at https://slack.com/whitehat.