Slack's Google Drive App can share your private Docs and Drive files

This has been true since the integration was released and main reason it's been disabled at most companies I've worked at. Definitely nothing new and reported to Slack and Google multiple times, always replied with working as expected. If you don't like how it works, remove it. Recently the UI and options changed a bit and you can now disable previews but I believe is a user setting and not a organization setting.

The title feels wrong and might cause panic.<p>A preview picture of the documents first page is shared whether the user has permissions or not.<p>The entire document is not shared like what the title seems to suggest.<p>For sensitive documents, this can certainly be a leak but its not outright sharing in a traditional sense.

I always felt these kind of integrations ask for so much access in return for so little additional functionality. Do I<p>A- give you access to all my documents so you can make a thumbnail when I attach a document or<p>B- not do that and not get a thumbnail, so I just look at the document outside of slack before attaching it?<p>That&#x27;s never been a complicated decision for me.

Would the terms established by Google, agreed to by a developer creating an integration like this, include a need to respect permissions unless the user explicitly requests (or is explicitly informed of) additional access for parties beyond those already granted access by Google&#x27;s system directly? If so, it seems like this could be reported to Google who would pull it down and force Slack to comply, if Slack doesn&#x27;t want to on their own.<p>I suppose the installation of the integration already involves a Google-served message along the lines of &quot;Slack will be able to see everything as you do&quot; but that&#x27;s not quite explicit enough for a user to then extrapolate &quot;...and may share it however they like without telling you.&quot; Like of course they could, but they shouldn&#x27;t, unless it&#x27;s super clear, and it&#x27;s not.

It seems odd because I did share Google Doc private docs very often in Slack in the past, and Slack would tell me that this was not a public document so it could not show a preview. So I wonder if something changed.

This is a strange thing to publish in a company blog post (complete with interstitial adverts for Kapwing).

Even more than that, the page is cached as it was at the time it was shared. I&#x27;ve seen this happen with documents that were later edited, with hilarious results.

If you keep your personal files on GDrive, they might be personal but they are not private.

But the recipient already has access to the shared document?<p>Is the concern that the recipient might share the link to the image? Again, they already have access to the shared document if they want to leak it.<p>I don’t think accidental discovery is possible - there’s a long shard of random data in there. It’s no more discoverable than the share link.

Everyone should have realized by now that online services can not guarantee any level of security.

I understand importance of respecting access control but if you&#x27;re sharing a Google Drive on a private or public slack workspace, you probably are doing it wrong to begin with because anyone who has access to the channel is ideally someone you trust with the content ur sharing

How would someone in the slack workspace discover the thumbnail image url?

Same is true for tickets that have security policies in Jira.

No shit.

I use the OneDrive aka SharePoint integration for slack and I&#x27;ve never seen this issue.