Slack is one of the hottest startups out there right now, after having won over a wide range of tech companies with its enterprise collaboration tool. Usually that would be a good thing, except that different projects those companies are working on might have been exposed thanks to a “feature” that makes team names visible to unauthenticated users.
Earlier, the feature in question allowed anyone to sign up using any random email address at a specific domain, and then prompts them to select teams that are available at their company. That’s great for creating a fast onboarding workflow for users, but not so great when any random person can spoof an email address at a company’s domain and have unauthenticated access to a list of teams.
Slack says the visibility of those team names was not entirely its fault. In a statement, the company points out that team discoverability via email domain is a setting team owners and administrators can control. It can also be set so that users can join by invitation only, which Slack says will not make team names visible to all.
That might be the case, but it’s silly to blame users for a setting that probably should have been turned off by default. While it might have resulted in fewer employees immediately signing up for teams if they needed to be invited, the unintended consequence of exposing top-secret projects is probably a much bigger issue for its customers.
That’s not to say the company doesn’t realize there’s a problem with its sign-on process. In the statement, Slack acknowledged that as companies have added more and more teams, the sign-in process has become more cumbersome anyway. As a result, it’s looking to refine that process to streamline onboarding, as well as adding features like single sign-on to address other issues.
UPDATE: Slack has since updated sign-in on desktop, and says a change is also in the works for its mobile apps, which it hopes to have live over the coming weeks. The company said that the change will make team names no longer visible when a user signs in, while it overhauls the entire sign-in process.
That doesn’t seem like a quick fix, however, and In the meantime the company says it will be reaching out to clients to clarify settings and how they affect whether or not team names are visible to unauthenticated users. That is, if those team admins aren’t already aware of the issue thanks to all the news about it.
Here is Slack’s statement in its entirety on the subject:
We understand that there is concern that people attempting to sign in to a Slack team were able to see all the teams associated with a particular email domain, even when the user was unauthenticated. There has been a good deal of confusion about this and we’d like to clarify.
The ability to view team names that relate to a particular team’s email domain or individual’s email address is a feature designed to make it easy for our users to find and access teams. Many people who use Slack have team discovery via email domain enabled. This is a setting that the team owner and administrators control. It allows anyone using a particular email domain to see all the teams that have enabled the self-signup process for that domain. The majority of Slack users see these screens when they sign in.
To break this down a bit more: when a team is created, team owners have the option to allow anyone using a particular email domain (for example: anyone@MyCompanyNameHere.com) to view and sign up to join that team. Alternately, team owners can set the preference more narrowly so that people can join by invitation only, which does not make the team name visible to everyone at that domain. These settings can be changed at any time by team owners.
As companies have added more and more Slack teams, we’ve realized that this sign in process, designed to make team communication faster and easier, has itself become cumbersome for many. We have been working on updating our sign in process to address this, as well as adding support for single sign-on (SSO) and other improvements to streamline the sign in process. We are working hard to push those changes out quickly, which will address this issue in a holistic way.
In the meantime, we are clarifying our language about this setting so it’s very clear to team owners and administrators that team names are discoverable in this manner and are communicating to our users how they can change this setting or any of their team names.
At Slack we pride ourselves on listening to our users and and being as quick to respond as we can. We also want to take the time to make sure we understand a concern so we can address it properly and thoroughly. We take security seriously and encourage all security researchers to use our responsible disclosure policy, which is outlined at https://slack.com/whitehat.
YouTube is strongly rumored to be launching a subscription-based music service soon, but the Google-owned video site has quietly introduced a new (and far lower-key) payment service that lets viewers send donations to YouTube channel owners.
First noticed by the astute folks at Android Police, the fan funding feature in initially available in four countries: the US, Australia, Japan, and Mexico. If you live in any of these places, then you may notice the below pop up appear inside Youtube.com or the service’s mobile apps if the channel owner has turned it on.
A ‘tips jar’ is not going to replace revenue from advertising, but YouTubers who enjoy a close relationship with their fans may be able to augment their ad revenue without upsetting their viewers. For what it’s worth, Google’s cut is 5 percent and a small fee ($0.21 in the US) — for example, a $10 dollar donation will see $9.29 passed on to the artist directly.
We’ve asked Google for more details of the fan funding program. We’ll update this post if we hear more.
Update: A YouTube spokesperson told TNW that “there are a handful of creators testing it out at the moment, and the plan is to bring this to more creators and countries in the future.”
There are more details on fan funding at this YouTube webpage.
Thumbnail image via Rego Kosiri / Flickr, screenshot via Android Police
Over the last few years we’ve seen a number of startups appear that would like to bring the market power of the Internet to bear on a traditionally tough market: car repairs. We’re all too aware of the obvious issues to be solved: the lack of consistency and transparency, and the difficulty of vetting both the work of the garage and its customer service before you entrust your vehicle to them.
RepairPal has been around since 2007 and has raised $21.3M to date. Last year OpenBay launched its auto repair marketplace to connect car owners with local mechanics. YourMechanic wants to be the Uber of mechanics, sending you one on call. And BodyShopBids won funding for a site that allows consumers to solicit custom auto repair estimates by uploading a photo.
Now Autobutler, an online platform for car maintenance and servicing, has raised €5.8m in a round led by Index Ventures. Index lead the round with participation from existing investors including Dawn Capital and Nordic venture capital firm Creandum. The funds will be used to expand across Europe, starting with Germany and the UK.
The site claims 140,000 customers have used it to find a garage to repair or service their car, chosen from 3,300 garage chains or independent workshops.
A user selects their make and model of car on the site, the work that needs to be done, a location, and the job goes out to 24 hour tender. Within 24 hours, the car-owner receives up to three offers from vetted local garages, and can read customer reviews before making their choice.
Autobutler’s Global CEO and Partner Christian Legêne believes its killer feature is its CRM tool for individual mechanics and larger chains where they can get deeper insight on how to improve their business and at the same time making it easy for them to find customers online.
With so many US startups concentrating on their home market, it looks like Autobutler has a pretty good window of opportunity here.