Spoofing someone in Slack is terrifyingly easy
Slack allows you to edit your "Display Name" on your profile. That's what everybody else sees. There's no enforcement of uniqueness.
In other words, if the big boss is "John Smith", you can set your "display name" to "John Smith" and you can also set your picture to John Smith's picture and then poof! you're basically John Smith in Slack so far as everybody else is concerned. It is not the display name that has to be unique, it's the handle. We have the same issue with email, you get a "name" and an "email address". If the name reads "Bill Gates" but the email address reads bad_guy@hotmail.com then you know it's problematic. Is it trivial for the new user? Probably not. That is why organizations have training courses, where they tell the employees: Pay attention to the important parts (aka the handle, not the name) I don’t think it’s a problem. It’s certainly not a problem unique to Slack. Consider “internationalized domain names”, which are implemented via Punycode. The following URL does not go to Gmail: mail.goοgle.com Note that this URL isn’t resolvable as of when I submitted this comment. Assuming no one has bought the domain and hosted something malicious there since then, you should be able to paste it into your browser to see what I’m talking about. Depending on your font settings, that probably looks indistinguishable from the correct URL. Here it is again, followed by the correct URL: mail.goοgle.com mail.google.com I created the above by substituting the first “o” with a lower-case Greek omicron (ο, Unicode U+03BF). The URL bar in your browser may or may not show the ASCII version - mail.xn--gogle-sce.com - once you navigate to it. I suppose my point here is that if the domain name system in use by the entire Internet doesn’t consider this to be a bug that must be squashed, then I wouldn’t consider Slack’s lack of a uniqueness constraint for display names to be an issue :) ETA: HN converts non-ASCII characters in URLs to Punycode upon submission. I had to omit the protocol portion of the URL to get it to display as entered. Good job, @dang :) Hmmm not sure if this is an actual problem or bad configuration.
Might be based on Org settings, my org locks this down since it uses ldap as source of truth for display names. Same here, my org has it locked down. Your Slack display name must match your official name (which is also your email display name). And your Slack handle matches your official login. There's no way to "hack" it and spoof someone else. If you want to change your display name, you change it officially at the company source (which is straightforward and quick, so "Joseph" can easily be "Joe" or whatever). Your example kind of shows why this is needed, in a large org 2 "John Smith"s might happen