Major Slack Security Vulnerability Discovered

Emails are one of the most vital piece of information that relates to an individual because it's their internet handle that they use for multiple websites.

Slack, a unicorn startup, in the past few years has grown it's popularity as a team chatting application. More interestingly, many wildly popular Slack communities have also popped up such as, techmasters, SSG, startupchat, #freelancer, with thousands of engaged members. Although Slack is a great tool for communication (we love it here at Croissant!), there is one security concern I had… they are exposing the community members' email.

Slack member profile

Since being bothered by this, I started digging into the code for the Slack web client, looking for answers as to why this is. Well, it turned out the problem is much worse than originally thought. It seems that all emails in a given group are very readily accessible.

Anyone can easily download all the names and emails in any Slack group that they're a part of in a matter of seconds, with one simple JavaScript command that can be run from the browser's console.

To open the console, right click within the body of the browser while in a Slack channel and click Inspect. This will open up the Chrome Developer tools. Click on the Console tab. Then, run this command:

https://github.com/adamkchew/slack-group-emails

Execute in your Chrome web inspector console tab:

Script displaying all of my information

No one, including the group owner, has any way of knowing that the member list has been compromised. And yes, it works on any Slack group, including large public communities.

Now I'm not the only person who noticed the lack of "hide email" option, as there are numerous complaints on Twitter:

Tweets about this issue 1 year ago

I also took the time to email Slack letting them know that it’s going to be an security issue and should be fixed immediately but what I got is the normal run around:

Slack support email response

Slack keeps saying that it's on the roadmap, but with hundreds of millions of dollars in funding, it seems that if it were a priority, it would be a pretty quick and easy fix. That begs the question, how come they are not addressing this privacy issue? At the very least, when you sign up for a Slack community, it should warn users that their e-mail will be publicly available to everyone else there. Currently, there is no such warning.

Please share this post if you want the option to hide your email! In the meantime, let this be a PSA that your e-mail address is exposed via Slack.

Thanks for reading,
Adam