Ability to join an arbitrary workspace by utilizing a proxy to manipulate invite links

A software bug was found where experienced researchers could utilize an intercepting proxy to repeat HTTP requests to the endpoint api/signup.createUser, replacing the team ID parameter with an arbitrary team ID from the one-time password email generated by a workspace invitation, inviting themselves to a different workspace than the original invitation. This was possible only for workspaces that did not require admin approval to send invitations to join. Slack launched an investigation of this issue immediately, deploying a fix the same day. We performed a comprehensive impact assessment and concluded that no customers were impacted by this issue.