Slack is one of the most popular communication tools – this is especially true for remote working companies. Now the messenger has admitted to a flaw in an email. The Slack security vulnerability has led to unauthorized people being able to read closed chats.

The popular office messenger Slack has experienced a security flaw that went unnoticed for several months.

This is according to an official mail from the company, which BASIC thinking has obtained.

Slack vulnerability: What happened?

Anyone who invites new users to an existing, closed channel on Slack can choose between two options:

  1. The inviting person archives the existing channel and creates a new one, which can then be accessed by all old and new members. This way, new users cannot see old messages and documents.
  2. The inviting person adds the new user to the existing channel. In this case, the new member can see all old messages and documents.

During the same invitation process, a software error occurred for users who were added to an archived Slack channel via the iOS client.

As a result, all new users were able to see the old messages, files and documents of the closed chat despite the settings made.

Slack security vulnerability: Who is affected?

The Slack vulnerability occurred in all versions of the iOS client between December 10, 2020 and June 10, 2021. According to Slack, new users who were added to existing closed chats during this period sometimes had insights into the documents that were actually hidden.

In the corresponding info mail, Slack explains that it was informed about the security vulnerability on June 2, 2021. By updating the iOS client to version 21.06.11, the problem has been fixed since June 7, 2021. However, the corresponding email did not go out until the beginning of July 2021.

What can I do if I am affected by the Slack security vulnerability?

In its email, the office messenger advises all affected companies and the responsible administrators that all iOS users should update the application. Until this happens, it is not possible to add new users to closed channels.

Likewise, Slack informs that the affected users have been removed from the corresponding channels. At the latest, they can no longer access the actually secret chats and files.