We've met with a horrible fate (status code 500) while generating what appears to be a static page. This site is hosted by HostGator! Get yours now!
Check this screenshot of google teams http://m.imgur.com/a/eWLEf. There is a team name called viber and google doesn't own viber.
Check this news that came 2 days back:http://www.jbgnews.com/2014/10/google-looking-to-rival-whats...
Connect the dots. You can infer a lot.
It is information disclosure at the finest.
Smart thing is to accept it is a problem and address it. Defending to say it is nothing doesn't make the problem go away. The fault is on both slack and the companies who are using it.
It's just a nice thing to do and they might reward you for it. You can still post it on your blog after they released a fix.
@rootlabs: Got the expected "not a bug" from @SlackHQ so
feel free to see names of MSFT, Google chats via login
info leak. http://t.co/kldKXN7NTf
How about next time you stop generalising?
Real people work at Slack, and very few of them were likely responsible for this oversight.
OP could still pat him/herself on the back after disclosing and waiting for a fix.
Note that elsewhere in this thread you can see that it was reported to Slack, but they responded saying it wasn't a bug.
In this case the information seems unlikely to contain anything sensitive pertaining to customers. If it had though then the companies that had negligently put sensitive information on untrusted servers would be held liable and could face significant fines (violating the Data Protection Act 1998 in the UK can lead to fines of up to £500,000 and similar legislation exists in other parts of the EU). That more serious kind of breach is the one we are trying to avoid by advising companies not to use cloud services.
I'd like people do be responsible when they discover a serious flaw in my programs, so I'll try to be responsible when discovering one in theirs.
Also Linus basically insults anyone for being alive.
You are under absolutely no obligation to do work for free that these companies should have been doing in the first place.
Cloudflare, along with flatfile caching by Drupal's Boost module came to the rescue. Hope that stays alive for a while now.
Regarding not having disclosed this one discretely to Slack:
* I have considerable experience in a couple opensource projects including Drupal and have reported multiple vulnerabilities on various occasions for various modules discretely (though mostly of lesser significance and a very narrow/rare attack vector) to the right teams through various channels meant for this purpose. As such I am aware of the SOPs for the righteous to follow in case of discovering a vulnerability.
* I don't think this one is a security issue that would take a professional security expert to crack. Nor could this have been not noticed when Slack tested their product. This is an issue with 'common sense'. I am pretty sure that Slack designed it this way. It is just the customers that are surprised now. Not Slack.
Also, it looks like this was reported earlier to Slack by https://twitter.com/rootlabs/status/499723782244675584 a couple of months ago and it was rejected by Slack as "Not a bug". However I do acknowledge that I was not aware of this report when I first published the post and hence can not say that I disclosed it only after being rejected by Slack. I would say it was not a security vulnerability to report but just bad design that Slack had put in being totally aware of what it means.
1) Your company should not be using SaaS services for sensitive projects w/o codenames. (Codename FishSauce = Viber M&A) -- obviously just obscurity, but still solid opsec.
2) I'd love to see your write-up on HipChat uploading all files directly to an S3 bucket accessible to the world.
3) Every user w/ that companies domain sees this each time they sign-in.
4)I just think it's overhyped and not a big deal.
5) It only impacts companies who have multiple slack TEAMS (not the same thing as channels, no channel names are disclosed)
Also, this is a decision Slack admins make: http://imgur.com/FCUE1mY
This is absolutely a security issue. What companies I do business with is protected under NDA.
Here is a cached version 
The gist of it: the slack mac client seems to ask you for your groups before properly authenticating you - hence if you put in the email address of a competitor (or famous person), you can see which groups they belong to, which might be valuable information.
(haven't tried it myself, just summarising the post)
2) Any email address, valid or not with a valid domain name works
cache version as link broken.
Edit: I wonder how Github distinguish their own "internal" email doing.
Too bad slack doesn't support any of this. This is the price they have to pay for reinventing username and password authentication and requiring everyone to register.
It is also bad since employees quit or are fired, and you don't want to have to maintain a directory of employees on every application you use.
Shameless plug, I work for https://auth0.com and we make this easier.
That being said, everyone railing about "unreleased product names" seem to have forgotten this is exactly the purpose of code names: they're pretty much expected to be leaked at some point, but it's okay since the stakes are intentionally low. Use code names!
There is some debate internally over whether 'new' refers to 'new as in old' or 'new' as in the opposite of 'renewal'. No one knows why it is called what it is called.
That's what Sun did with Swing, which was originally called Kentucky Fried Chicken internally.
Not as long as you replace it with a new name. Your "new" problem doesn't sound like a problem of stickiness, it's a problem of never giving it an actual name in the first place, or when it was rolled out.
Look at the Orbis and Durango for names widely used in when the press was rumor-mongering that went away as soon as the devices were revealed. We've even changed our internal code names on projects without much fanfare, as long as the name change represents a milestone in the project or a difference in audience it's easy to cut over.
Leaking of business conversations can have serious implications on many areas from financial to legal. If an employee leaves the company how that will be handled.
If the communication includes material insider information, like companies/products they are considering buying, and they are flinging it all over the internet so third parties can read and act on it the SEC can charge them.
If you use cloud services for company communication then you at least need to have provably secure encryption so only the people you want to see the conversation can.
Of course this criticism applies to all the suckers who use Google and Microsoft cloud services for their business.
From the Slack TOS:
>Your acceptance of this TOS gives us the permission to do so and grants us any such rights necessary to provide the service to you, only for the purpose of providing the service (and for no other purpose).
They _could_ be breaking the TOS (and thus the contract between you and the them), but I doubt it.
I think the "this is why not startups|cloud" posts are a bit heavy handed given the actual details of what we're talking about here.
Got this error though:
phantom stdout: TypeError: 'null' is not an object (evaluating 'element.value = text')
TypeError: 'null' is not an object (evaluating 'element.value = text')
Made a little script that generates a screenshot and outputs the groups formatted like this:
microsoft.com groups: Yammer, Mihafa, Somex, iOS Team, China South CAM-S, DSE-Ireland, FUSE Labs, GroupMe, MozTeam, OCS Design Studio, OSS Studios, Priya's Team, FAST, Office PM, DMX, UK Apps, Bobbyk test, ExPGTeam, Team Wolf, BD&E, BingTV, OS Services, DMX, Kudu, EE COE, web, UI Team, Office BP, OneNote, VOX, CPG, India LRP, FooBar, Capture, Capptain, RoleClarity, asterix, Dragonslayers, SignalR, Office Mix, patterns & practices, DX, XD, TEDCOM, Exchange Ecosystem, CSI, PowerBI-ng, ODP, Compete, My Life & Work - China, Azure Active Directory, Census, MeetingsHVS, APEXOutlook, [FUN]CTION, Tempe, Arcadia, OEM, SharedPlatDev, #hashtag, Universal Apps, Modern Attachments, DLDW, Windows client, ESocialGP, MEA HQ Windows, Azure CAT PMoR, OneDrive, Azure Compute, QuestPersonalization, The Size 7 Italian Team, MMCOM, DLTC, ATMS, TED Strategic Engagements, Async Media Distribution, MAW team, APLD
I wouldn't want to trust any business use to something that doesn't provide a documented API that I can use from my own code.
There are many businesses that still use Excel as their CRM software, even though there are purpose-built apps that work better.
My point is that Slack, Hipchat, and others are specifically targeting businesses. Having an API with integrations to other software (CRMs, issue trackers, PM, etc.) is one huge advantage over Skype, just as an example.
IMO, this seems like more a security issue of the individual creating slack accounts for, a) naming the accounts for a specific (potentially revealing) sub-set of their company, and b) turning on the feature that allows anyone to create an account if their e-mail matches the domain.
The company I work for uses Slack but has this second feature turned disabled and our company is not listed when you try and sign in with a bogus e-mail account.
Since Skype is not really light-weight anymore and Google chat did not really take off, It looks like that Slack found himself a good spot in between.
Talk about reinventing the wheel.
Signup for "><img src=x onerror=prompt(document.domain);>
Seriously this is very interesting and could be valuable. Expect that it will get fixed soon though.