[ateesdalejr]

> Injecting javascript into Slack via Chrome extension can have an impact on the privacy and security of our customers and our product.

So can taking screenshots of messages. If injecting JS can possibly affect the security of your platform then that's a vulnerability you should fix, not send a C&D to some developer about.

[alangpierce]

They're not saying that their server will leak data, they're saying that an ecosystem of Slack Chrome extensions injecting arbitrary JS is fundamentally much, much less secure than an ecosystem of integrations using official Slack APIs. It's debatable whether Slack has the authority to disallow Chrome extensions, but it's certainly in their interest to discourage them.

If everyone gets used to installing 5 Chrome extensions from unknown developers adding little themes and tweaks to Slack, then some of those extensions are going to be malicious and a lot of people are going to have their accounts stolen. Third-party software should only request as much access as it needs, and Chrome extensions are just bad architecture for this sort of problem, since you can't say "this extension gets to make benign visual tweaks to the page but doesn't get to steal my Slack account". I haven't worked with Slack's API, but nearly every API like it provides granular access and certainly doesn't let you steal the user's account, and all actions are done via an API token that can be tracked and revoked by Slack if your app is malicious.

[Qwertie]

If I make a browser extension that grabs your auth token and all of your messages and sends it to my server. How is slack meant to fix that?

[TheDong]

I can ask you for your slack password, and you can then tell it to me. How can slack fix that?

Any extension that asks for the permission to read data off webpages can read data off webpages, yes.

It's the user's responsibility to not install such an extension, not the company's responsibility to do whatever the hell they're doing here.

Anyways, this extension wasn't malicious. Its source code was available freely, and auditing it reveals nothing malicious.

[dagi3d]

Hard to solve that if the browser allows that via the extensions mechanism.

[Xylakant]

If your security depends on people not using browser features, maybe don’t use a browser then. Ultimately, if your security depends on the client being unmodified, you basically lost. You can make it harder for an attacker, but that’s the problem DRM tries to solve (and consistently fails to)

[TeMPOraL]

But that's utterly ridiculous. All the data Slack sends to my browser is already mine to view, so if there's an issue of "privacy and security", it's on their end.