Cross-site leak allows attacker to de-anonymize members of his team from another origin

This issue was reported by researcher @jub0bs via HackerOne on December 29, 2020. The Slack security team reviewed the issue, understanding the nature of information disclosure on Dec 30th. We closed the issue as informative, which we do to reflect that the report, while accurate, has not taken into account other mitigating factors or needed capabilities of our product. On September 28th of 2021, the security researcher reached out requesting to publish a blog about the finding. Upon further review in October 2021, Slack staff noted inconsistent documentation about the workspace invitation settings and reclassified the report accordingly.