There’s a bit of chatter today about an apparent Slack vulnerability that allows people to snoop around other companies to find out what group they have on the service. However, it’s not technically a vulnerability, as Slack has been aware of the issue since at least August and has even called it a feature.
That’s true. It’s a tradeoff between usability & keeping the team names a secret, since each team has its own accounts. With the current design we’re making it easier for people select the team they want to sign in to. However, in the middle of overhauling the auth system as we move to support SSO & 2 factor auth which will remove this feature completely (needs mobile releases, etc.) Other info about security & privacy at http://slack.com/security & + http://slack.com/privacy
When I contacted Slack about the problem, founder Stewart Butterfield responded that the feature “won’t be around for that much longer.” Exposing team names may be a feature, but it’s an ill-conceived one with worrying privacy implications.
The good news is the feature/vulnerability doesn’t appear to have done much damage, as most companies’ team names end up being fairly innocuous. Valleywag did, however, speculate about a possible Google acquisition after spotting a “Tribe Wearables” group on the company’s Slack page. If your company is using Slack, you should stick to codenames for your top-secret projects while waiting for Slack to finish revamping its authentication system.
UPDATE: Slack just added a post to its blog about today’s news. In the post the company states that it takes “privacy and security very seriously.” It notes that in oder for Teams to be visible via email domain the team leader needs to have enabled that feature while creating the team and that the visibility of a team can be turned off at any time.
It reiterated its earlier statements that it is currently in the final stages of redesign that streamline the Team process. While that’s happening, Slack will be updating the setting’s language:
In the meantime, we are clarifying our language about this setting so it’s very clear to team owners and administrators that team names are discoverable in this manner and are communicating to our users how they can change this setting or any of their team names.
In the meantime, if you have a Team that you don’t want the outside world to see, you can go here to change the visibility settings.