This has been true since the integration was released and main reason it's been disabled at most companies I've worked at. Definitely nothing new and reported to Slack and Google multiple times, always replied with working as expected. If you don't like how it works, remove it. Recently the UI and options changed a bit and you can now disable previews but I believe is a user setting and not a organization setting.

The title feels wrong and might cause panic.

A preview picture of the documents first page is shared whether the user has permissions or not.

The entire document is not shared like what the title seems to suggest.

For sensitive documents, this can certainly be a leak but its not outright sharing in a traditional sense.

I always felt these kind of integrations ask for so much access in return for so little additional functionality. Do I

A- give you access to all my documents so you can make a thumbnail when I attach a document or

B- not do that and not get a thumbnail, so I just look at the document outside of slack before attaching it?

That's never been a complicated decision for me.

Would the terms established by Google, agreed to by a developer creating an integration like this, include a need to respect permissions unless the user explicitly requests (or is explicitly informed of) additional access for parties beyond those already granted access by Google's system directly? If so, it seems like this could be reported to Google who would pull it down and force Slack to comply, if Slack doesn't want to on their own.

I suppose the installation of the integration already involves a Google-served message along the lines of "Slack will be able to see everything as you do" but that's not quite explicit enough for a user to then extrapolate "...and may share it however they like without telling you." Like of course they could, but they shouldn't, unless it's super clear, and it's not.

It seems odd because I did share Google Doc private docs very often in Slack in the past, and Slack would tell me that this was not a public document so it could not show a preview. So I wonder if something changed.

This is a strange thing to publish in a company blog post (complete with interstitial adverts for Kapwing).

Even more than that, the page is cached as it was at the time it was shared. I've seen this happen with documents that were later edited, with hilarious results.

If you keep your personal files on GDrive, they might be personal but they are not private.

But the recipient already has access to the shared document?

Is the concern that the recipient might share the link to the image? Again, they already have access to the shared document if they want to leak it.

I don’t think accidental discovery is possible - there’s a long shard of random data in there. It’s no more discoverable than the share link.

Everyone should have realized by now that online services can not guarantee any level of security.

I understand importance of respecting access control but if you're sharing a Google Drive on a private or public slack workspace, you probably are doing it wrong to begin with because anyone who has access to the channel is ideally someone you trust with the content ur sharing

How would someone in the slack workspace discover the thumbnail image url?

Same is true for tickets that have security policies in Jira.

No shit.

I use the OneDrive aka SharePoint integration for slack and I've never seen this issue.

Agreed and I think it's due to two things:

- The app just requests may more permissions than required. Often times you'll see an app that just requires read access that is requested read, write, personal email, and blood of your first born.

I worked on a service that integrated with a lot of services that store data that one would deep business sensitive. When I'd always minimize permissions while setting up development, I had PMs/decision makers require that we ask for maximum permissions so future changes are easier. Felt wrong to me.

- The service (OAuth2 provider) not have fine-grained enough permissions. Sometimes there would only be the option for "read" or "write". Sometimes you'd get access to "read documents", but you couldn't restrict the type of documents. The more options there are, the more confusing it can be, but the more control and security the user has and I think that's much more important than development confusion.

I will say that I really appreciated what Notion does where they'll give you the ability to approve access to individual pages and while querying for pages you'll only ever see ones you've been granted access. The other side is that now a user has to approve each next page. The is also the option to allow everything existing and going forward. I think that's a great middle ground that gives control to the user. Whether the average user takes advantage of that is another question all together.

Soon enough every thumbnail will just be [THIS PAGE HAS BEEN LEFT INTENTIONALLY BLANK] once legal realizes and has IT push new corporate templates onto everyone.

And the worst part is that before web that just worked - file managed did the thumbnails (or custom open dialog) and nothing needed to be sent to cloud...

The key feature of the integration isn't the thumbnail, but that Slack indexes your Google Drive files so they show up in search. That is absolutely worth it IMO.