[sebak]

The problem is not with having public urls. The problem is with public urls that don't have enough random numbers or if these numbers aren't generated by a CSPRNG.

[arethuza]

Doesn't help how complex your URL is if legitimate users can pass it to anyone else who can then access the file without proper authorization.

[mikeash]

Preventing legitimate users from sharing the data with malicious users is essentially what DRM is, and as we all know DRM is never perfect and rarely any good at all.

It's much more important to prevent malicious users from being able to access these files without the help of legitimate users. Which seems like an obvious thing to do, but it's what Slack has failed at here. It's impossible to tell from that one GitHub URL whether they get this right or not.

[heydenberk]

It does help. Malicious users intending to share files can do so without having a public URL.