Few pieces of corporate software have earned so many fans so quickly as Slack, which is basically a sophisticated chat room for businesses. But as one blogger just realized, a vulnerability in the login page lets you snoop on the other guy.
Was trying out the Slack Mac client after we adopted Slack recently for our team communication. The mac client asks you for an email address. Then it prompts you as to which group/team you wish to sign in. And then asks you for the password. My first thought was "WTF!" For those who don't know, Slack is an online collaboration tool that allows teams to have chat rooms, file sharing etc with a powerful API that allows custom integrations as well. As I suspected, I tried a random email address and it listed all the teams/groups that the person belonged to.
Basically, go to Slack.com, type in a fake email address for any given company (TonyZuckerberg@fb.com), and you can see their internal Slack teams. Since Slack is so hot among tech companies right now, odds are they have some.
Like, say, Apple:
And of course, Slack:
Note: we tried this method with a fake @Gawker.com email, and it didn't appear to work.
Sure, you can't actually join the teams, or see what channels exist within them, or read a single letter that's been exchanged. But I now know there's a Slack team at Google called "Tribe Wearables"—does that mean they acquired this company? Even if this isn't sensitive information, it's still information—and that's not what people are paying Slack to do.