Did you know that email addresses are not unique identifiers on Slack
I wrote a blog post to explain how Slack’s decision to remove the @username as a unique identifier was a poor decision that could have serious security implications — especially for cryptocurrency communities and enterprise customers who want to share channels with other companies. You can read the post here.
A Slack designer called Hubert Florin left the following comment on my post:
The email… you hide it to support your argument… not very honest…
Hubert is referring to the fact that I blurred out an email address that belonged to a real person who appeared on my screen shot — to protect his privacy.
I’m surprised that someone representing Slack would call me dishonest in a public forum. What motive would I have to be dishonest? He clearly hasn’t done his research to learn that MetaCert is listed in “Brilliant Bots” and we have a good relationship with Slack. Ok, we might not see eye to eye on everything — but that just means everyone knows where they stand with MetaCert — a very open, transparent, honest company that puts ethics and integrity above all else. I love Slack. I really love it. And I think they people are amazing there. Anything I say is related to specific product features — not the company or the people.
My response was:
Hi Hubert Florin Thanks for responding. Would you please be kind enough to expand on that comment regarding email? Please note, that within the Cryptocurrency world, people enjoy their anonymity and they certainly won’t want their email address displayed. So given that insight, what is your opinion? And it’s not just in the crypto world — most people are not going to display their email address for all to see. Unless of course you are referring to something else?
I’d like to take it a step further, why not implement a nicely designed visual indicator for Admin people. That way, everyone knows who the “team” owners are. In fact, you might want to expand this so when you have shared channels between companies, how do they know who’s working for who?
Hubert Florin then followed up on Twitter with:
Yes you did, under the timezone. So obvious. With the email you know who the person is.
Rather than engage with me through this blog, or better, offline to dig a little deeper, he takes it to Twitter. And, now he’s calling me a liar, again for a second time. It’s in the public domain so I feel the need to respond — because I pride myself on being very open and honest. What does a Security company and it’s founding team have, if not “trust”.
I fully understand what Hubert is thinking. Hubert thinks that a Slack user’s email address is a unique identifier that can’t be changed and/or spoofed. I don’t judge Hubert’s technical expertise for getting this wrong. He’s a designer at Slack. He does’t work on the security team and he’s not an engineer.
Hubert has just proven my original point. It will be easy for impersonators to join a Slack team or community and later, update their profile so it’s either a fake, or it’s made to look like it’s someone else. I updated my profile inside the MetaCert community to look like Hubert’s — I even setup a Gmail account using his name to demonstrate my point to him. I immediately changed my profile back to my own, as I don’t want to be accused of doing something that breaks Slack’s terms of service. Call it very lightweight white hat hacking — as lightweight as it gets.
As you can see from the tweet above, it’s easy to change your name, email address and avatar so it looks like someone else.
Why this should scare people
Let me tell you a short story… but first know this, the vast majority of people working for big companies use gmail and other non-corporate email addresses for Slack. At least in our experience for the past two years.
My name is John. I’m unhappy working at Walmart. There are 300,000 Walmart employees using Slack. I’m leaving tomorrow as I’m unhappy with my employer. I decide to change my name to Patrick Jones and I also change my avatar to his. Now my account looks exactly like the one used by the Head of HR.
Jane works in finance and is responsible for payroll. I send Jane a message to authorize her to pay John (me) two months severance pay immediately. Remember, I’m not impersonating the Head of HR. Just to be sure it’s done immediately, I quickly change my name and avatar to Jessica Murphy. Jessica is my supervisor — the person responsible for my horrid working environment. I send a message to Jane so say, “Hi Jane, I just had a chat with Patrick. We’d really appreciate it if you could run that payment for John right away, thanks”.
See what happened? All of that would take less than 5 minutes — it’s called “social engineering” and it’s one of the biggest insider threats and external hacks within cybersecurity.
What else?
Finance Director asks the CEO to make an immediate payment of $500k for a deal in China before it’s too late. With the difference in timezone the CEO must act now. Sound familiar?
Now, if that’s an insider threat. What do you think can happen between two companies where there is no unique identity. What can happen is only limited by the imagination of cybercriminals who are much smarter than all of us put together.
My recommendation to Slack is to implement a unique identifier for teams and then take it a step further and implement a visual indicator so everyone know’s who the team admins and owners are. So, go in the opposite direction.
Why it’s even more dangerous for crypto communities
Read my original post now that you’re loaded with this insight.
☞ Please tap or click “👏” to let Paul and other crypto community members know that you appreciated this post. The number of claps indicates how much you liked the post so put those hands together as many times as you like.
