For Slack’s 8M+ daily users, the chat system represents more than just a communications tool. It also functions as a digital water cooler for company gossip, a channel for the airing grievances and a mentorship platform for junior employees can interact directly with senior counterparts. And in some cases — a platform that employees share sensitive and important login details and passwords.
The intimate nature of Slack leads most users to the assumption that their communications are confidential. However, there are a number of security blind spots on Slack that leave companies in a vulnerable position. Review them below, then take the suggested actions at the end of this article in order to stay as safe as possible.
The security risks of Slack
To be clear, we’re not recommending giving up Slack — the productivity benefits associated with its use are substantial. However, if you’re going to use Slack for any business purpose, you need to maintain a clear understanding of the risks involved, as well as the degree to which they can be mitigated.
Risk #1: The onboarding of employee and guest users
Some of the risks that come along with using Slack have to do with weaknesses in its code, discussed later in this article, which businesses need to be aware of but may be unable to change. In other cases, however, Slack’s security risks come from user error.
That’s the case with the proper on-boarding and off-boarding of Slack user accounts for both internal employees and external guests. If either is left in the workspace after their affiliation with the company has ended, the users may retain access to confidential or sensitive information.
To prevent this from occurring:
- Add the on-boarding and off-boarding of Slack accounts to your standard employee onboarding and termination procedures. Communication with HR is vital; IT (or whoever is responsible for creating and deleting Slack user accounts) must know exactly when to create and delete user accounts. This is especially important in the event of contentious terminations, when every minute the terminated employee remains in the system represents a liability.
- If your organization grants the ability for admins to add external guests, your organization also needs to have a regularly-reviewed and enforced policy to remove guests after their engagement is complete.
Risk #2: The power granted to “Owner” and “Admin” roles
BetterCloud’s Christina Wang points out that Slack users with “Owner” and “Admin” roles have significant power within the system — often more than most administrators realize.
For example, Wang shares that “By default, only Slack Workspace Admins and Owners can create and manage user groups. But any admin can change those settings in a drop-down menu.” Effectively, any one of your organization’s admins can go in and make it possible for all of a workspace’s users to create, modify or disable user groups. Besides the obvious potential for abuse, doing so increases the odds of user error resulting in unintentional deletion of important groups.
Granting admin rights to a few users can be beneficial, as it prevents only one employee being responsible for creating, moderating and managing user groups. But at the same time, you have to balance the potential risks of data loss when doing so. Make sure you understand what rights Admin and Owner roles have, and that you’re comfortable assigning these privileges to employees chosen to be admins.
Risk #3: The threat posed by third-party app integrations
This one should come as no surprise: Be cautious when linking Slack to third-party apps, especially those that contain other types of sensitive information (such as your CRM, Google Drive, etc).
Consider that, in 2016, employees at 18F shared Google Drive documents through Slack, inadvertently exposing more than 100 governmental Google Drive accounts at the General Services Administration (GSA) for nearly six months. The breach occurred because the GSA had made the connection between the two apps using an authentication protocol known as “OAuth2.0,” which neither Slack nor the GSA’s IT standards had approved.
If connecting apps to your Slack instance is a “must”, confirm that the appropriate authentication protocols are being used. But as a general rule, avoiding third-party app integrations entirely is a safer approach.
Review any 3rd party integrations every quarter to make sure they are still needed and remove the integrations that are no longer needed.
Risk #4: Known and unknown system vulnerabilities
Slack’s popularity and the size of its active user base make it an appealing target for hackers looking to infiltrate organizations that use the communication tool. With breaches and cybercrime at all-time highs, no system is off-limits to hackers — especially not one in which so much valuable private information is shared.
Take a recently-discovered vulnerability, as reported by Wired’s Lily Hay Newman:
“Frans Rosén, a researcher at the web security company Detectify, submitted [the vulnerability] to Slack’s bug bounty program in mid-February. If exploited, the vulnerability would allow an attacker to log into a Slack account as if they were the legitimate user of the account. From there, the attacker would have full access to look at chat histories, shared files, and any other group chats/channels the user had access to.”
Rosen shares full documentation regarding the bug on the Detectify blog, but effectively, it arose from a flaw in the way Slack was configured to communicate with other domains. Slack has since repaired the vulnerability, but such quick fixes don’t exist in all cases.
As an example, security researcher Inti De Ceukelaire discovered faulty business logic on popular third-party online help desks that enabled him to spoof company email addresses and access team pages in Slack. Though Slack recommends specific steps that can be taken against this possibility, as reported by The Next Web contributor Matthew Hughes, iterations of the attack are still effective.
Don’t rule human error element out of Slack vulnerabilities either. In April 2016, Ars Technica reported that “A surprisingly large number of developers are posting their Slack login credentials to GitHub and other public websites.” Despite Slack declaring that access tokens should be treated with the same level of care as passwords, Ars Technica’s search revealed “more than 7,400 pages containing ‘xoxp’” (the prefix contained in tokens that in many cases allow automated scripts to access a Slack account).
Joining publicly-accessible Slack groups may also present a data leakage risk. In February 2018, the Origin Report’s Josh Fraser shared that the 1,118 members of its open Slack community had their personal information — including their email addresses, usernames, real names, profile pictures, last updated timestamps and timezone settings — exposed by a hacker who manipulated API keys.
Risk #5: Data access by Slack team members
Finally, be aware that very little is known about which Slack team members can access user data, and when they can do it. Though Slack claims to have technical, audit and policy controls in place to prevent inappropriate access, they also acknowledge that they did not intentionally build an app that would prevent employees from accessing information without authorization.
Electronic Frontiers Foundation Senior Staff Attorney Nate Cardozo isn’t happy with this response. In an interview with Gizmodo, he states, “Slack could have built this system in a way that no one within the company had access into user data,” referencing zero-knowledge encryption, an end-to-end encryption method. “What it comes down to is, trust us.’”
Understandably, Slack’s shortcomings on this issue have prompted fears of an unknown, as-of-yet reported “God mode,” similar to the one that got Uber in so much trouble. Though Slack denies this possibility, it’s best to remember that you’re better safe than sorry when disclosing important information online.
How to keep slack as secure as possible
While you can’t guarantee security on someone else’s system, there are a few steps you can take to minimize the risk that the data your team shares on the platform will be accessed improperly.
#1. Never share passwords on Slack
Under no circumstances should employees ever share passwords on Slack. If they need to pass on access to different programs, password management solutions like Password Boss are a safer, more easily controlled choice.
#2. Turn on two-factor authentication
At a minimum, make two-factor authentication (2FA) mandatory for all users in a workspace. If your workspaces are also using SAML-based single-sign on (SSO), you can still use 2FA, but you’ll need to set it up with your identity provider, according to Slack’s instructions.
#3. Apply your company’s email security policies to Slack
Your company should have a defined email security policy in place. If so, apply these same requirements to Slack usage (and, if not, put that on your to-do list right away). A few specific requirements your policy should encompass include:
- Guidance around sharing login credentials with others
- How confidential or sensitive information should be shared
- Password strength and security standards
#4. Make Slack security training a part of employee onboarding
Don’t rely on policies alone. Incorporate Slack security training into new employee onboarding programs, and run regular refresher courses periodically.
Teach employees they shouldn’t share anything on Slack that they wouldn’t put in an email. It may also be worth teaching them about specific risky behaviors that should be avoided on Slack (such as inadvertently creating public links to files when sharing assets).
Make Slack security screening a part of your ongoing security process as well. Follow news about Slack (setup Google alerts), paying particular attention to any bugs that are discovered or vulnerabilities that are identified. An ounce of prevention here may truly be worth a pound of cure.
Is Slack security on your radar? If so, what steps are you taking to keep your organization’s workspaces safe? Leave us a note below with your comments: