Slack is a popular instant-messaging platform mainly used by companies for work-related communications between team members.
It can also pose as a unintentional potential security threat to companies if access is not monitored and internal-only data is shared among members in Slack.
By default anyone can send invitations to invite new members. It is a best practice to only allow administrators to send and accept invitations.
To check if you have permissions to invite a new member:
- Sign in to your Slack Workspace
- Open any channel
- Click on Add people
- A popup will open up, enter the user's email address
- Finally, click Add
These reproduction steps prove that you're able to invite new members without approval from an administrator.
It is a best practice to allow only workspace administrators to invite new members.
To do so:
- Sign in as the workspace administrator
- Next, navigate to
/admin/settingson your Slack workspace (or click on your workspace name, hover over Tools & Settings and click on Workspace Settings) - Open Permissions
- Expand Invitations
- Check the Require admin approval box, additionally, select the channel to receive requests in.
- Finally click Save to save your changes
As team members often share internal company data between each other, Slack can become a potential target or attack vector to your organization.
Other members can unintentionally invite unauthorized users and provide them internal access.