Slack leaks email adresses

If another proof was needed of the need to remove the weakness that centralized servers represent, slack is leaking accounts nicks and emails.
I always use one shot disposable email adresses when registering to new projects / forums / groups / etc… which makes spotting email leaking really easy and obvious.
I just received an email from a guy pretending they found my profile on linkedin ( I don’t even have an account on linkedin ) … They cite my slack nick name in the email text, and sent it to the disposable email adress that I registered with for joining a team recently.

No big deal for me as I will just redirect this email adress to /dev/null, but it is no good for slack.

Hopefully Safe will help mitigate these issues soon ! :smiley:

4 Likes

Hmm, not sure how long it took you to develop this theory, but it’s not a very good one.
In most slacks I have access to, one can simply see everyone’s email by going to Team Directory.

4 Likes

Oh, thank you for pointing that out, I didn’t notice this,and I don’t remember Slack giving a warning about this.

So they simply deliberately leak the adresses of their members… Which plainly sucks.

1 Like

oh , even better, disabled accounts emails remain publicly visible. Ok, they really suck hard.

1 Like

Well yeah, I don’t like that either, but I guess it’s convenience over privacy/security.
But then again I am an old fart… Maybe that’s the wave of the future, no email privacy.

1 Like

This happened to me also. I think it’s an unfortunate side effect of an open system. I’ve told Slack about it.

1 Like

https://labs.detectify.com/2016/04/28/slack-bot-token-leakage-exposing-business-critical-information/

Slack mightn’t be safe.

1 Like

funny , G2Crowd are the same guys that sucked my mail from slack.

I asked slack team why they publish thousands emails in plain text on the web, they answered me that “they think email sharing is very important for a communication tool”. They don’t seem to even get how that could be a problem, and how their naive , simplistic implementation is a severe weakness.

I proposed the Slack team to implement mail adresses sharing based on opt-in instead of making it default, and proposed the idea that a team member would have to privately ask another member the permission to have their mail adress. This way you could share your adress only if you trust the person. And Slack could log bots or bad boys who misuse the feature.
On huge teams with thousands members I have the conviction that this is a primary necessity.

Unfortunately , it seems that people just don’t care about privacy and security, provided that you give them a sleek and sexy one-button application…Just as @dallyshalla example above illustrates very well, and as @janitor said, convenience primes over anything else.
Google and friends made a good job of turning a whole generation of computer users into nice docile sheep…

In the same style, I emitted concerns here on the forum about the use of npm and cargo for such a sensible project as Safe, when both lack the most basic integrity check before installing what they download to the developer’s drive, and when both send home full reports of who is developing what. Apart for a few raised eyebrows here and there, nobody seemed to care at all, and everyone keeps going on as if there was nothing to be worried about here, as long as we can have shiny apps running on mobile phones.

I suppose I am an old fart too, with outdated concerns.

I’ll keep working on a dumb safe browser anyways. Maybe just for old paranoid farts :slight_smile:

5 Likes