Popular corporate messaging service Slack today addressed reports of a security flaw which reveals the internal team names of its high-profile customers, including Apple, Google, Twitter, Microsoft, and Mozilla. According to Slack, this isn’t a security flaw at all, but a “feature” which companies can turn on and off manually.
In response to security concerns raised today, Slack acknowledged the oversight in a statement, saying it will clarify its language “so it’s very clear to team owners and administrators that team names are discoverable in this manner.” Slack also says it is already “communicating to our users how they can change this setting or any of their team names.”
This “feature” was first introduced in August, and was called a “tradeoff between usability & keeping the team names a secret” by Slack.
The issue above exists in part due to Slack’s on-boarding process, which suggests internal groups to anyone who enters a company email address. Currently, anyone can attempt to sign up as “firstname.lastname@example.org” on Slack.com, for example, and view team names which could reveal private company strategies.
Here’s Slack’s statement on the matter, in full:
We understand that there is concern that people attempting to sign in
to a Slack team were able to see all the teams associated with a
particular email domain, even when the user was unauthenticated. There
has been a good deal of confusion about this and we’d like to clarify.
The ability to view team names that relate to a particular team’s
email domain or individual’s email address is a feature designed to
make it easy for our users to find and access teams. Many people who
use Slack have team discovery via email domain enabled. This is a
setting that the team owner and administrators control. It allows
anyone using a particular email domain to see all the teams that have
enabled the self-signup process for that domain. The majority of Slack
users see these screens when they sign in.
To break this down a bit more: when a team is created, team owners
have the option to allow anyone using a particular email domain (for
example: anyone@MyCompanyNameHere.com) to view and sign up to join
that team. Alternately, team owners can set the preference more
narrowly so that people can join by invitation only, which does not
make the team name visible to everyone at that domain. These settings
can be changed at any time by team owners.
As companies have added more and more Slack teams, we’ve realized that
this sign in process, designed to make team communication faster and
easier, has itself become cumbersome for many. We have been working on
updating our sign in process to address this, as well as adding
support for single sign-on (SSO) and other improvements to streamline
the sign in process. We are working hard to push those changes out
quickly, which will address this issue in a holistic way.
In the meantime, we are clarifying our language about this setting so
it’s very clear to team owners and administrators that team names are
discoverable in this manner and are communicating to our users how
they can change this setting or any of their team names.
At Slack we pride ourselves on listening to our users and and being as
quick to respond as we can. We also want to take the time to make sure
we understand a concern so we can address it properly and thoroughly.
We take security seriously and encourage all security researchers to
use our responsible disclosure policy, which is outlined at