Slack sent us a notice on Thursday, March 18, 2021 that due to a software vulnerability it “unintentionally shared Slack Connect metadata” with partners that we share a Slack channel with. The result was a Slack shared channel metadata exposure.
Slack is a messaging platform that we use to communicate internally and externally with some of our clients. For those that we communicate with externally, we have a shared Slack channel.
Some of the data that we associate with the channel such as descriptions of channel were inadvertently shared with the other party on their analytics dashboard.
Is this a big deal? No.
Are we proud of Slack for the way that they handled it? Yes.
Slack Shared Channel Metadata Exposure
Some details, first, from Slack:
“This software bug impacted workspaces using Slack Connect channels between September 12, 2017 and February 24, 2021. Slack identified this problem through an internal review on February 19th, 2021 and immediately took steps to fix the problem, standardizing behavior between the client and the channel analytics dashboard so that changes to the channel names and the channel topic and purpose were no longer visible to the external organization.”
Through Slack’s internal processes, it identified the issue. They corrected the problem. They emailed us to let us know with clear language. Our email detailed which shared channels had their metadata exposed.
It would be great if all future exposures were so minimal and were handled so cleanly by the vendor. The way that this was handled is a sign of Slack’s security maturity for handling the Slack shared channel metadata exposure.