If you post a message with a modified deleted_at
JSON parameter, the webapp will crash for anyone currently viewing the channel, or for anyone viewing a different channel if they switch to that channel afterward.
message
, channel_id
, and pending_post_id
.deleted_at
, with a value that’s greater than 0. For example: "deleted_at": 10
.pending_post_id
to some other unique value.It affects all users viewing the channel, not just the sender. Also, you don’t even have to be in the channel when the message is sent. If you are already on a different channel, and you switch to the affected channel after the message is sent, it still has the same effect.
A user could prevent others from accessing a channel by continually making this request so that it’s impossible to load the webapp, because a new message would come and crash it even after refreshing the page. And since after refreshing you will still be on the channel, it could prevent the users from having access to the entire webapp, as they may not be able to exit the channel quick enough to prevent the crash.
You could also send a DM to someone and when they click to view the message the webapp will crash.