[violetgarden]

I had a very similar experience with Slack. We were working with their support team because we didn’t realize a vulnerability was present at first. We thought maybe we had misconfigured something. Basically, we could log in to Slack Desktop with user a, but sometimes the screen would blink, then you would have full access to user b’s chats, you were messaging as them, etc. The Slack team told us to clear our browser cache. We tried that and told them the issue didn’t seem to be tied to a browser. Slack just kept telling us to clear cache, but we were growing more alarmed by the app behavior as a standard user suddenly got access to an administrator account and was able to perform all functions. Finally, we started digging into it ourselves until we could reproduce the issue. Slack didn’t get serious with us until we sent them a recording of us doing it, then their responses got strange. All of our emails back to the technicians were getting intercepted by someone higher up in the company, and we were getting a lot of non-answers. We were told a fix was put in place, but they wouldn’t know what happened until they added additional logging in two months time.

I don’t know where I’m going with this, but the correspondence with Slack just felt off to me. I was also disappointed that we were shouting from the rooftops a serious vulnerability, and we kept getting responses like “clear cache, try reinstalling the app.”