[skywhopper]

What team did you report this issue to? I think this is more about the Slack Google Drive plugin's behavior than Google Docs per se. If someone with permission to view the doc takes a screenshot of the first page of the doc and sends that to you, there's nothing really that Google Docs can do to stop that. That's analagous to what's happening here. The Google Docs Slack integration is what's sharing the preview image.

I agree that it's poor behavior and potentially could be part of a critical security compromise. But you'd need to get a hold of the right team. The Google Docs core engineers probably don't care and couldn't fix it anyway.

I don't know for sure (and can't check now since I no longer work there), but my impression at a former job that made heavy use of Slack and Google Docs was that in a corporate setting with Google Enterprise or whatever it's called, the Slack integration was far more cautious about showing previews. It even alerted you if you posted a document that not everyone in the channel could view, and gave you the ability to grant them access right then and there. IIRC, previews were hidden if you didn't have access. I don't know if that is a different plugin or just better behavior in a corporate setting.

[deepakjc]

Ah, this is a helpful insight. I didn't realise that this is how the integration works. It seems that, at most, Google could force Slack to update their integration's behaviour (and take down the integration till that happens). But as you mentioned, they can't really fix it themselves.

I probably wouldn't have posted this if I had received this explanation from Google. :)

This was their response: "Hi! We've decided that the issue you reported is not severe enough for us to track it as a security bug: when someone with access to a doc sends a link over slack, they express their intent to share this document, hence the preview shared independently from the sharing setup on the doc does not represent a significant risk."

[PeterStuer]

I'm not sure why the plugin has (or needs to have) access to the private doc in the first place. I would expect a communications channel to communicate my link, not act as a third person with priviledged credentials.

[GauntletWizard]

Slack has the permissions because you have enabled Google drive integration, and authenticated your Google account to give that integration permissions to act as you. If you don't enable Google drive integration, you don't get a preview. If you do enable the Google drive integration, slack uses your permissions to generate a screenshot, and send that to the other users. It is you and your effective permissions that are sending a screenshot, bypassing other security.

It is not intuitive if you are not used to how security really works, which is that permissions are granted to masks that you wear, not to any real person. When you give slack permissions to use the drive integration, you are giving them a copy of your mask, and they are you, even unexpectedly. You have a (subconscious) reflex to automatically create and share screenshots of documents that you link, that you have trained via slack's hook. Remove that integration, and everything works as expected.