While poking around Slack’s Block Kit, developer v1ctorio noticed the video block accepts any URL and simply renders it in an iframe after a 2xx/3xx check. That loophole inspired an app that encrypts messages using browser crypto APIs, stores encrypted keys on a server, and performs all cryptographic work inside the video embed, without requiring any Slack API changes. The result is end‑to‑end encrypted chat on Slack.

The implementation relies on TypeScript for rapid iteration and leverages OpenPGP.js, a library maintained by Proton, to handle key generation, signing and encryption. Because Slack metadata fields cannot hold long ciphertext, the app creates a short slug stored in a KV store; the slug’s data is injected into the iframe when the video block loads, keeping the server blind to plaintext.

Users invoke /e2ee send, opening a modal to choose recipients. After submission the app crafts a slug with the sender’s encrypted private key and the recipients’ public keys, then loads a Slack video block that performs decryption, encryption and signing locally, sending only ciphertext back. The source lives at v1ctorio/e2ee-slack and can be self‑hosted in minutes.