Slack Security: Potential Risks and How to Stay Secure in Slack

15 Jun 2022

11 min read

Ahana

Article at a glance

Slack's security features are robust, but there are potential risks that require attention:

Public links and third-party apps pose significant data leakage risks if not properly managed.

Users can inadvertently expose sensitive information by creating public links or integrating unsecured apps. What is the solution?

Introduction

Slack is one of the most popular enterprise software for business communication with more than 12 million daily active users. Business users assume that conversations through direct messages and private channels on Slack will remain confidential and protected. However, there are significant security risks when using Slack for critical business communications.

This article explores the different security risks in Slack and the various steps admins can take to mitigate these risks.

2. What makes Slack data vulnerable?

2.1. The issue of encryption

Slack offers encryption to protect customer data for messages at rest and during transmissions between a customer’s network and the Slack services. However, this does not solve the problem of data security in its entirety because the encryption offered is still not classified as end-to-end and it gives companies the freedom to supervise and manage the ways and extent to which their data is secured, unfortunately leaving room for possible security oversights.

Slack has no plans in introducing end-to-end encryption available by default for Slack users because of the limitations it puts on the platform particularly when it comes to third-party integrations. Therefore, the same features that Slack users find convenient and efficient also serve as one of the most problematic security vulnerabilities of Slack.

2.2. Threat posed by third-party app integrations

Slack Connect is a collaborative platform within Slack that lets the users work and collaborate effectively with external organizations. With Slack Connect, everyone can discuss work, share files, and drive business results in a shared space accessible to partners.

Even though Slack Connect lets the users streamline processes and collaborate effectively across organizations, there is always a risk of data breach when a third-party application is involved. Many Slack users are unaware of the permissions enabled when a third-party application is linked to a Slack account. Permissions given to third-party apps such as viewing information, posting information, or carrying out actions within a channel, thread, or direct message can result in the apps gaining access to the confidential information of Slack users. Such permissions might also empower third-party applications to edit, modify, and delete Slack data.

In 2016, tech consulting firm 18F’s Slack account inadvertently exposed sensitive government information and resulted in a data breach. According to the report, over 100 General Services Administration’s (GSA) Google Drive accounts were accessible to outsiders for at least five months potentially exposing sensitive content such as personally identifiable information and contractor proprietary information. The breach occurred because the GSA had made the connection between the two apps using an authentication protocol known as “OAuth2.0,” which neither Slack nor the GSA’s IT standards had approved.

Slack security- threat posed by third-party integrations

2.3. Power vested to the owner and admins in Slack

Slack has granted its users significant power within the system by allotting admin roles and owner roles. Besides the obvious potential for data abuse, the power granted to the admin and owners can cause a serious threat to data security as it increases the odds of unintentional deletion of important groups.

For example,

1. A Slack admin can view all the files that have been shared in public channels.

2. A Slack admin, depending on the subscription plan of the workspace, can export all workspace messages and files. For the Business+ and Enterprise Grid plan, admins can export content from all the public channels and direct messages exposing the privacy and confidentiality of Slack users.

3. Slack admins can invite guests to any public channel and invite single or multi-channel guests to a private channel.

4. Slack admins can delete a channel and this action is irreversible.

Slack admins can also give end users a lot of control and power which poses security risks as all the end-users will be able to create, manage, modify, or delete Slack data.

For example,

1. Slack admins can allow everyone in the company, except guests, to create, modify, and disable user groups.

2. Slack admins can allow everyone to create, archive, and remove members from channels.

3. Slack admins can allow workspace members to override the retention settings for private channel messages and direct messages.

2.4. Risk of posting malicious content to Slack

Despite Slack’s many security features, cybercriminals try and succeed in infiltrating Slack resulting in leaking valuable classified information. Users can also post malicious content, either intentionally or unintentionally, risking data security.

For example, in April 2016, Ars Technica reported that, “A surprisingly large number of developers are posting their Slack login credentials to GitHub and other public websites, a practice that in many cases allows anyone to surreptitiously eavesdrop on their conversations and download proprietary data exchanged over the chat service.”

Joining publicly accessible Slack groups may also present a data leakage risk. In February 2018, the Origin Report’s Josh Fraser shared that the 1,118 members of its open Slack community had their personal information — including their email addresses, usernames, real names, profile pictures, last updated timestamps, and time zone settings — exposed by a hacker who manipulated API keys.

2.5. End users can create public links to files

End users of Slack can create a public link to all the files shared in Slack. By making a file public, anyone on the internet can easily access the file and download it. Slack has this setting ‘on’ on default so if it is not disabled in your Slack workspace’s ‘Settings and Administration’ page by a workspace owner or admin, Slack users can create public links posing a threat to data security.

3. How to stay secure in Slack?

While Slack has a diligent security platform and controls, Slack is still vulnerable to data security threats. Here are a few simple techniques to safeguard your Slack account from data breaches:

3.1. Set up two-factor authentication

Two-factor authentication is an extra layer of sign-in security. With two-factor authentication (2FA) enabled, users will have to sign-in using a code sent to their mobile devices in addition to their Slack password. Using 2FA ensures that even if a password is compromised, access to Slack won’t be granted unless the person signing in is verified from their device.

Workspace owners can make 2FA mandatory for all the members of a workspace.

3.1.1. How to set up 2FA in Slack

Step 1: Sign into the workspace and select Settings and Administration and click on Workspace settings. Then select Account and Profile.

Step 2: Next to Two-factor Authentication, click Expand. Then, click Set Up Two-Factor Authentication.

Step 3: Enter your password and click SMS Text Message to receive authentication codes by text message
Step 4: Select your country from the menu. If your country isn't listed, choose Other.
Step 5: Enter your mobile phone number, including your area and/or zone code.
Step 6: Slack will send a 6-digit verification code to your device. Enter the code on the Slack 2FA configuration page.
Step 7: To finish, select Verify Code.

You will be sent a text message with your single-use authentication code every time you sign into your workspace.

Also, owners and admins of Enterprise Grid subscriptions can make 2FA mandatory for all the users signing in with an email id and password.

3.2. Set up user onboarding and offboarding

While considering Slack security, one should always consider data breaches and threats from the insiders. This includes employees who leave the company whether on their own terms or due to an incident.

To ensure that no unwanted members are present in your Slack workspace taking advantage of sensitive business information, a proper plan must be in place for employee onboarding and offboarding. This includes deactivating members’ accounts when they leave. Workspace Owners on the Business+ and Enterprise Grid plans can streamline deactivation with an identity provider using System for Cross-Domain Identity Management (SCIM) provisioning.

3.3. Limit access to your workspace

To ensure that only the right people have access to the sensitive information that is being shared in Slack, admins must limit access to information in the workspace. Admins can limit access of the users to Slack data by controlling and reviewing who is being invited to the workspace, verifying email domains, deactivating members’ accounts who no longer need access, and using guest accounts and limiting the channels they're invited to.

3.3.1. Limit access to workspace by managing admin approval for invitations

By default, all Slack members can invite members to a Slack workspace. Workspace owners and admins can change the settings so that invitations must be requested and approved.

Step 1: From your desktop, click your workspace name in the top left.
Step 2: Select Settings & administration from the menu, then click Workspace settings.

Step 3: Click the Permissions tab.
Step 4: Next to Invitations, click Expand.
Step 5: Check or uncheck the box next to Require admin approval. Click Save.

3.3.2. Deactivate members’ accounts that no longer need access

Owners and admins can deactivate members’ accounts. When an account is deactivated, the user will be signed out of all the devices and will be unable to sign back in.

Step 1: Click your workspace name in the top left.
Step 2: Select Settings & administration from the menu, then click Manage members.
Step 3: Click the three dots icon to the right of the member you’d like to deactivate.
Step 4: Select Deactivate account.

Note: On the Enterprise Grid plan, users can only be removed at an organization level. Click here to know how to deactivate a user’s account from an Enterprise Grid subscription.

3.4. Set session duration

On the Pro, Business+, and Enterprise Grid plans, owners and admins can limit how long their members are signed in to Slack on desktop by setting a session duration. When you set a session duration, the members will have to sign back in periodically.

3.4.1. How to set up session duration

a) For Pro and Business+ plans:

Step 1: From your desktop, click your workspace name in the top left.
Step 2: Select Settings & administration from the menu, then click Workspace settings.
Step 3: Click Authentication.
Step 4: Next to Session Duration, click Expand.
Step 5: Select how much time should elapse before requiring members to sign back in.
Step 6: Click Save.

b) For Enterprise Grid plan:

Step 1: From your desktop, click your workspace name in the top left.
Step 2: Select Settings & administration from the menu, then click Organization settings.

Step 3: Click 🔒Security in the left column, then select Security Settings.

Step 4: Next to Session Duration, click Enable.
Step 5: Select how much time should elapse before requiring members to re-authenticate.
Step 6: Click Enable.

3.5. Evaluate third-party apps before adding them to Slack Workspace

The vulnerabilities associated with third-party applications and Slack’s sharing permission policies pose a high risk to data security in Slack. Therefore, before connecting a Slack workspace to a third-party application, it is advisable to diligently review and evaluate the app and its permissions.

To secure Slack data from the vulnerabilities associated with third-party applications, workspace owners and admins can consider the following methods:

Understand the app permissions required: Each of the third-party services connected to Slack has a unique set of permissions that tells what information can the app access, and how it can use that information. By default, third-party apps can do the following in Slack:

a. View information,

b. Post information, and

c. Perform action

For example, suppose you’ve installed the WebEx Meetings app in your Slack workspace to schedule and join meetings. In that case, the app may have access to your channels, calendar, and member profiles to make sure that meeting updates and notifications are sent to the right people.

To ensure the security of Slack data, workspace owners and admins should review what information the third-party app will have access to in Slack and what the app can do with the information that it can access such as post messages or modify/delete content.

Workspace admins and owners can filter apps by access type on the Slack app directory to help them understand what kind of information an app can view in Slack.

Step 1: Click on the Slack workspace name in the top left.
Step 2: From the menu, select Settings and Administration and click on Manage Apps to open App Directory.

Step 3: Click on Apps and select Installed apps, Approved apps, or Restricted apps.
Step 4:Click on the drop-down menu below Access types to view apps with different access types.

2. Manage app approval for your workspace: Workspace owners can enable app approval to restrict or pre-approve certain apps for Slack data security.

Step 1: Click on your workspace name in the top left.
Step 2: Select Settings & administration from the menu, then click on Manage apps to open the Slack App Directory.

Step 3: Click App management settings in the left column.

Step 4: Click the toggle next to Require app approval to enable the setting.

3.6. Slack Enterprise Key Management

Slack Enterprise Grid Management (EKM) is a security add-on for Enterprise Grid subscription users. With Slack EKM, users can use their own keys stored in Amazon’s Key Management Service to encrypt messages and files. Slack EKM enhances the ability of organizations to share sensitive conversations and files on Slack while still meeting security requirements. To address security threats, administrators can revoke messages and files at the organization, workspace, channel, and file levels.

Enterprise Grid subscription users can contact Slack Support team to set up Slack Enterprise Key Management.

3.7. Slack for Intune Mobile App management

Slack has introduced Microsoft Intune Mobile App Management (MIAM) so that organizations can add Slack to a set of trusted apps to ensure sensitive business data stays secure on unmanaged personal mobile devices. MIAM helps admins to manage Slack access and security without taking full control of employees' devices.

Learn more about MIAM here

3.8. Always have a backup solution in place

Despite taking all the security measures provided by Slack, Slack data is still vulnerable to data loss- it can be by accidental deletion, phishing or ransomware attacks, or disgruntled employees.

Third-party backup applications like SysCloud can be used to effortlessly backup and restore your Slack data. SysCloud backup allows admins to back up, restore, and export Slack channel conversations and files whenever needed.

3.8.1. Why should you use SysCloud to back up Slack data?

The following are the advantages of using SysCloud to back up your Slack data:

Automated Slack backups and automatically resolves API errors.
Export threads, channels, direct messages, or even the entire workspace in JSON format.
Restore threads in direct messages and channels with a single click.
Search for content inside conversations, files, channels, and user groups using keywords, across all your workspaces.

To learn more about SysCloud’s backup for Slack, click here.

Try Slack backup for free

Start 30-Day Free Trial