[0xy]

So Slack offers the guy a paltry $1,750, then attempts to take credit for his work while also screwing him out of his own disclosure.

This kind of response to security researchers just invites the next researcher to sell the exploit instead, or to actively exploit it.

Why does Slack seem like a company that is floundering? It took them over two years to release a simple feature like shared channels. It seems like the app is frozen in time and the company is doing nothing except keeping the lights on and waiting for Teams to obliterate them.

Slack turned from a hungry tiger startup into an exhausted lumbering enterprise giant whose primary weapon is litigation and mudslinging (Slack initially encouraged the Teams competition, then filed suit against Microsoft in perhaps the biggest case of corporate sour grapes in some time).

Pay your security researchers properly, Slack.

[thefreeman]

> A simple feature like shared channels

You think merging two or more organizations workspaces in a sane and secure manner after likely basing the entire app infrastructure around the idea of a single workspace is a "simple feature"? This is a textbook example of the classic HN comment "Why does this this company need X engineers to create Y product. I could do it in a weekend."

[0xy]

Except I never claimed it could be done in a weekend, only that it shouldn't take 1,600 employees two years to roll out a single feature while the main app has severe problems (zero error handling during downtime).

Then there's Slack's other "features", like the rich text editor nobody liked or wanted and that they initially refused to change.

Look at Teams' trajectory in the same timeframe.

Slack video calling is still bad. It's been years.

[shermanmccoy]

They would've spent multiples of that internally, just fumbling about trying to reproduce the vulnerability.

[0xy]

Considering their new desktop app didn't have even the most basic error handling for connection failures (during downtime people had bricked apps that displayed a white screen with a HTTP error), I have absolutely zero faith in Slack's engineering capabilities.

That's not an indictment of the engineers, but it's an indictment of the executives and managers responsible for the lazy stagnation they're currently in. The quality engineering is gone.

Headcount is way up, engineering budgets are way up, but feature velocity is non-existent. Meanwhile Teams is moving at lightspeed in comparison. While Teams might not be there yet, at least they're trying. Slack is doing nothing.

[brendawalsh]

The sooner Slack is out of my life, the happier I will be.

[violetgarden]

I had a very similar experience with Slack. We were working with their support team because we didn’t realize a vulnerability was present at first. We thought maybe we had misconfigured something. Basically, we could log in to Slack Desktop with user a, but sometimes the screen would blink, then you would have full access to user b’s chats, you were messaging as them, etc. The Slack team told us to clear our browser cache. We tried that and told them the issue didn’t seem to be tied to a browser. Slack just kept telling us to clear cache, but we were growing more alarmed by the app behavior as a standard user suddenly got access to an administrator account and was able to perform all functions. Finally, we started digging into it ourselves until we could reproduce the issue. Slack didn’t get serious with us until we sent them a recording of us doing it, then their responses got strange. All of our emails back to the technicians were getting intercepted by someone higher up in the company, and we were getting a lot of non-answers. We were told a fix was put in place, but they wouldn’t know what happened until they added additional logging in two months time.

I don’t know where I’m going with this, but the correspondence with Slack just felt off to me. I was also disappointed that we were shouting from the rooftops a serious vulnerability, and we kept getting responses like “clear cache, try reinstalling the app.”