June 15, 2026
Slack attack: secret chat edition
Show HN: Exploiting Slack's video embeds to achieve E2EE communication
A coder turned Slack’s video box into a secret chat trick, and the comments want super-apps now
TLDR: A developer found a way to use Slack’s video embed as a secret message tool, letting private message work happen on the user’s device instead of on a server. The comment section turned that into a bigger argument about why major apps are so closed off when super-apps elsewhere already support mini-apps natively.
Slack users just got front-row seats to a wonderfully chaotic hack: one developer figured out that Slack’s so-called video embed is basically happy to load almost anything as long as the link works. That sparked a sneaky idea — use that little window inside Slack to handle private message locking and unlocking on your own device, so the middleman never sees the plain text. In normal-human terms: turning a workplace chat app into a secret-note machine by hiding the magic inside a fake video frame. Naturally, the crowd’s reaction was a mix of “this is brilliant” and “this feels like the kind of thing that gets patched the second people notice.”
The real gossip, though, is what this says about apps today. The standout community take came from summermusic, who basically said: why are big apps still so limited when China’s mega-apps like WeChat already let people run mini-programs inside everything? That kicked off the familiar tech peanut-gallery mood: admiration for the clever workaround, side-eye at Slack for accidentally allowing it, and a low-key wish that mainstream apps were more open so people wouldn’t need weird hacks in the first place. Even the details added drama — undocumented limits, strange message restrictions, and a developer stumbling into a loophole that makes Slack look less like a polished office tool and more like a digital apartment with one window that doesn’t lock. It’s part innovation, part platform roast, and exactly the kind of hacker mischief the internet loves.
Key Points
- •The article presents a Slack app concept that uses Slack’s video block embed behavior to perform end-to-end encrypted messaging operations locally in the client.
- •According to the article, Slack’s video block checks only that the provided `video_url` is reachable and returns a 2xx or 3xx response before rendering it as an iframe.
- •The design keeps users’ private keys encrypted on the server and decrypts them locally inside the embedded client when signing, encrypting, or decrypting is needed.
- •The author switched from direct use of the browser SubtleCrypto API to OpenPGP.js for cryptographic operations and notes that Slack video blocks cannot be used in ephemeral messages.
- •The described message flow uses Slack commands, a modal, a slug stored in a KV database, local passphrase-based key decryption, local message encryption and signing, and server delivery of encrypted envelopes to recipients.