What is Slack?
Slack is a cloud based messaging app developed by Slack technologies. The messaging technology was originally developed as an organizational communication tool. However, it has since been adopted as a community platform often replacing message boards and social media groups on Facebook or LinkedIn. In Slack, messages are organized into channels. The channels can correspond to anything, such as projects, teams, office locations and business units. Whole teams are provided access to a channel setup specifically for the team. Then, anytime a team member has an update, question or document to share, they just put it into the channel. It is in Slack’s document sharing capabilities that the privacy flaw lies.
The Slack App Privacy Flaw Explained
Slack is supposed to keep a shared file private to a specific conversation. However, it turns out this is not what is happening. Slack’s privacy flaw is allowing private files uploaded in one private conversation to be shared with another private conversation. Even more worrying is the fact that the person who shared the private file has no idea that their file is being shared with others. This constitutes a huge privacy breach. “Due to the fact that Slack users can only be aware of private conversations that they are members of, file owners have no way to tell that their files were shared in other private conversations,” explained Polyrize, the Israeli security firm that discovered the privacy flaw in Slack.
No Such Thing as “Unshare”
Any person with access to a channel can see and access shared files on that channel. Strangely however, if shared files are subsequently removed from a channel, a person who receives access to the channel after the files were removed, can still see and access these files. Furthermore, this person can share the files with others on different private channels, even though the shared files have been removed from the original channel. As Polyrize states: “If you share your file once, even if you later unshare it, that file can still be exposed to other people, without any indication to you.”
Slack’s Response
A Slack spokesperson stated: “We understand how important file security is for Slack’s customers. The behavior described only applies to two types of files in Slack, Snippets and Posts (two options for sharing and collaborating around longer form content in Slack). Most files shared in Slack are not these types of files.” All other file types are still perfectly safe to share on Slack.
What to Do?
Slack technologies are working to fix the flaw and are looking to roll out an update as soon as possible. Businesses running Slack are advised to ensure they apply these updates as soon as they become available. In the meanwhile, users are advised not to share Posts and Snippets containing sensitive information in private channels until a fix for Slack’s privacy flaw has been rolled out. If not, files should only be shared with people who can be trusted not to reshare them into different conversations.