Dominik Honnef

Harvesting email addresses from public Slacks

Last modified:

Over the last year, Slack, the communication tool for teams, has been becoming popular in the open source community, replacing alternatives such as IRC and Gitter. This was – rightly so – surprising to the people behind Slack. After all, Slack is designed for companies. This is evident in the lack of features that open communities would want, and the presence of features and design decisions that only really work with a group of trusted people.

Most of these design decisions might only appear odd or slightly annoying. One decision, however, makes spammers really happy: Since Slack assumes that people in a team know each other, it sees no reason to hide email addresses. This makes it trivial for spammers to join a public Slack, run a simple line of JavaScript in their browser, and get hundreds to thousands of active email addresses:

> TS.model.members.forEach(function(item){console.log(});

I’ve censored the email addresses in this blog post, but the real invocation returns full addresses. I don’t feel particularly bad about showing the code here because it is trivial to come up with and in active use by spammers already.

Luckily, Slack has added a feature to hide email addresses. It took them several months and countless requests, though that shouldn’t be too surprising as – again – their focus lies on paying businesses, not free communities. For a while now, admins of Slack teams have had the option to hide members’ email addresses. The instructions for doing so can be found in their help center. Unfortunately there are still plenty of large public Slacks that haven’t enabled this setting, and so the spamming continues…