[filereaper]

The title feels wrong and might cause panic.

A preview picture of the documents first page is shared whether the user has permissions or not.

The entire document is not shared like what the title seems to suggest.

For sensitive documents, this can certainly be a leak but its not outright sharing in a traditional sense.

[gorlilla]

A preview of the first page is absolutely enough to put companies on the wrong side of government and/or industry regulations/compliance.

It may not be as astronomically bad as you immediately imagined, but I don't see how the nuance makes any material difference with the urgency in which this would need to be contained/analyzed/investigated and reported timely where required.

[koolba]

> A preview of the first page is absolutely enough to put companies on the wrong side of government and/or industry regulations/compliance.

So that whole, “This page intentionally left blank”, is a security feature?

[TeMPOraL]

Could be, except it's unlikely to be put on the first page, so at the very least, this integration is leaking the title, classification and authorship - and through that, existence - of a potentially sensitive document.

[benatkin]

Until the preview uses machine learning to skip that and show the first page containing content :)

[judge2020]

This is the point of the Slack app though. It does notify you if x recipients can't see a document, but it doesn't attempt to hide it from those who don't already have access.

Companies can turn off the Google Drive app in their Slack workspace and block it in Google Workspace admin (and generally allowlist which apps can request Drive permissions: https://support.google.com/a/answer/7281227?hl=en ).

[ec109685]

The reason it’s implemented this way is that slack doesn’t have the ability to generate a per user thumbnail based on the access rights of the document.

As the sender of the slack link, Slack should give the option to include the preview or not, like it does for other unfurl’s.

Where there would be a major problem is if someone could trick slack to generate a preview of a link they don’t have access to.

Secondarily, I have seen slack show an obsolete preview, which could result in something accidentally shared.

[bachmeier]

As someone that has to do FERPA training every year, I would classify that as a disaster.

[rjmunro]

Many of my documents are only one page, especially private confidential ones like communications with HR.

[paxys]

It is also only shared if the owner posts a link to the document in a public channel.

[Xelbair]

Except if this page contains PII.

or sensitive company secrets

or relevant details of business deals

or is a payslip

etc etc.

It is a horrible breach, that shouldn't exist and should be fixed ASAP. Also due to GDPR concerns.

Saying that it is non issue is very short sighted.

[gmerc]

It’s enough in discovery….