Slack is one of the hottest startups out there right now, after having won over a wide range of tech companies with its enterprise collaboration tool. Usually that would be a good thing, except that different projects those companies are working on might have been exposed thanks to a “feature” that makes team names visible to unauthenticated users.
Earlier, the feature in question allowed anyone to sign up using any random email address at a specific domain, and then prompts them to select teams that are available at their company. That’s great for creating a fast onboarding workflow for users, but not so great when any random person can spoof an email address at a company’s domain and have unauthenticated access to a list of teams.
Slack says the visibility of those team names was not entirely its fault. In a statement, the company points out that team discoverability via email domain is a setting team owners and administrators can control. It can also be set so that users can join by invitation only, which Slack says will not make team names visible to all.
That might be the case, but it’s silly to blame users for a setting that probably should have been turned off by default. While it might have resulted in fewer employees immediately signing up for teams if they needed to be invited, the unintended consequence of exposing top-secret projects is probably a much bigger issue for its customers.
That’s not to say the company doesn’t realize there’s a problem with its sign-on process. In the statement, Slack acknowledged that as companies have added more and more teams, the sign-in process has become more cumbersome anyway. As a result, it’s looking to refine that process to streamline onboarding, as well as adding features like single sign-on to address other issues.
UPDATE: Slack has since updated sign-in on desktop, and says a change is also in the works for its mobile apps, which it hopes to have live over the coming weeks. The company said that the change will make team names no longer visible when a user signs in, while it overhauls the entire sign-in process.
That doesn’t seem like a quick fix, however, and In the meantime the company says it will be reaching out to clients to clarify settings and how they affect whether or not team names are visible to unauthenticated users. That is, if those team admins aren’t already aware of the issue thanks to all the news about it.
Here is Slack’s statement in its entirety on the subject:
We understand that there is concern that people attempting to sign in to a Slack team were able to see all the teams associated with a particular email domain, even when the user was unauthenticated. There has been a good deal of confusion about this and we’d like to clarify.
The ability to view team names that relate to a particular team’s email domain or individual’s email address is a feature designed to make it easy for our users to find and access teams. Many people who use Slack have team discovery via email domain enabled. This is a setting that the team owner and administrators control. It allows anyone using a particular email domain to see all the teams that have enabled the self-signup process for that domain. The majority of Slack users see these screens when they sign in.
To break this down a bit more: when a team is created, team owners have the option to allow anyone using a particular email domain (for example: anyone@MyCompanyNameHere.com) to view and sign up to join that team. Alternately, team owners can set the preference more narrowly so that people can join by invitation only, which does not make the team name visible to everyone at that domain. These settings can be changed at any time by team owners.
As companies have added more and more Slack teams, we’ve realized that this sign in process, designed to make team communication faster and easier, has itself become cumbersome for many. We have been working on updating our sign in process to address this, as well as adding support for single sign-on (SSO) and other improvements to streamline the sign in process. We are working hard to push those changes out quickly, which will address this issue in a holistic way.
In the meantime, we are clarifying our language about this setting so it’s very clear to team owners and administrators that team names are discoverable in this manner and are communicating to our users how they can change this setting or any of their team names.
At Slack we pride ourselves on listening to our users and and being as quick to respond as we can. We also want to take the time to make sure we understand a concern so we can address it properly and thoroughly. We take security seriously and encourage all security researchers to use our responsible disclosure policy, which is outlined at https://slack.com/whitehat.