Slack announcement-only channel post restriction bypass

Last Modified: Wed, 20 Mar 2019 15:28:59 +0000 ; Created: Wed, 20 Mar 2019 12:00:00 +0000

Slack is a messaging platform with channels for communication. One feature includes an announcement-only channel for communication to users. Only authorized users may post content to these channels as per: Create an announcement-only channel,, Feb 21, 2019.

The official Slack documentation states:

By limiting who can post, announcement-only channels are a great way to broadcast information to everyone in Slack. This type of channel becomes read-only to anyone without permission to post. Instead of the message field, members will see a message like this:

Your Workspace Owners have limited who can post to #announcements-global

However, I found a way for unauthorized users to bypass this restriction via the use of commonly added third party applications. One example is via the Simple Poll app.

  1. Go to a channel that has restricted posting, such as #general, using a user who is not allowed to post new messages or thread replies
  2. Select a message posted in the channel by one of the authorized users
  3. Click on the ... menu for that message
  4. More message actions...
  5. Turn question into poll via Simple Poll add-on
  6. Post the poll with whatever text you want
  7. Notice (screenshot attached) that the poll appears for all users even though "Your Workspace Owners have limited who can post to #general


This was just one example app. Many other apps could be used as well to do the same. The issue lies in that Slack at its core does not prevent apps from making this unauthorized post to an announcement-only channel and bypassing this security control.

Slack should not trust third party apps to restrict who can post to an announcement-only channel. Doing so at present will require uninstalling many third party apps used by customers to prevent this vulnerability.


In this case #general was locked down because everyone was in it and kept posting @here comments that annoyed people. An attacker, however, could post a phishing message with a malicious link to a channel such as #general which all employees would see in their Slack.

A Workspace Owners/org admin must monitor the channel and delete unauthorized posts to mitigate.

An attacker can also quickly delete the Poll post to minimize the chance of a legit admin seeing the post and determining who was phished.

Vendor Response

The vendor states that these security bugs must be addressed in the third party apps themselves.


Feb. 14, 2019 Reported via instructions to
Feb. 18, 2019 Vendor replies they will not fix.
Feb. 18, 2019 Request to make report public
Mar. 20, 2019 30 day mark and public disclosure