Slack's Google Drive App can share your private Docs and Drive files

Slack's Google Drive App can share your private Docs and Drive files

In 2017, Slack launched a popular Google Drive integration that makes it easy to embed, share, and get notified about new items added to Google Drive, including files, images, docs, and more. We use it daily here at Kapwing, an online video editing startup, since we run internally on top of Google Docs and Google Drive. Recently, however, I discovered that using file previews with the Google Drive Slack App will allow it to share completely private, unshared documents and files within your workspace.

The popular Google Drive Slack Bot

The Slack Google Drive integration has a feature called File Previews that is enabled by default. This is usually pretty handy, because when you share a link to a Google Doc, or any file in Google Drive, the bot will automatically show a preview of the document.

The Slack Bot preview for Google Documents

However, recently I noticed that it was doing this for documents that I had not yet shared. I also noticed that when certain links were sent to me, I would see a preview of the document even though I didn't have access to it yet.

Me, sharing a private document with Luke which shows the full content of the document

If I open up the URL of the file preview, the preview is a full resolution 800 × 1035 image that shows the entire first page of the document.

The app does this for private images uploaded to Google Drive as well:

Me, sharing a private image to a coworker that he is not supposed to see.

It seems like what's happening here is that when I share a document or file via a link, the Google Drive Slack app will automatically create a preview image of that file, using my own Google permissions. The problem is, that preview image gets re-uploaded to Slack's CDN, and is in high resolution and is now accessible to everyone in my Slack workspace.

You can test this yourself by creating a private Google document, or uploading an image accessible only to you to your Google Drive, and then sending the link to a colleague in Slack. If you use the web Slack client, you'll be able to inspect the full link to the image preview as well:

The full image preview that gets sent to my collegue

It might not be the biggest deal to some people, but I think it can definitely be a problem if you are not being careful with sharing private Google documents in a public slack channel or workspace, especially since File Previews are enabled by default. Going forward, I think it would be better for the app to make this clear, since it can definitely be used by folks in Slack to see something they weren't allowed to.

I hope this helps others out there using the Google Drive Slack app!

link.target = '_blank'; } }); });