[HN Gopher] Slack's Google Drive App can share your private Docs...
___________________________________________________________________
Slack's Google Drive App can share your private Docs and Drive
files
Author : justswim
Score : 229 points
Date : 2023-10-12 06:44 UTC (14 hours ago)
(HTM) web link (www.kapwing.com)
(TXT) w3m dump (www.kapwing.com)
| Mandatum wrote:
| No shit.
| mrabcx wrote:
| Everyone should have realized by now that online services can not
| guarantee any level of security.
| Frost1x wrote:
| It's often used as an argument to prop up service models
| though: use our service because it's _more_ secure than not. In
| theory it makes sense. In practice, security through obscurity
| I think doesn 't get enough justice.
| pwarner wrote:
| I use the OneDrive aka SharePoint integration for slack and I've
| never seen this issue.
| seanhunter wrote:
| I always felt these kind of integrations ask for so much access
| in return for so little additional functionality. Do I
|
| A- give you access to all my documents so you can make a
| thumbnail when I attach a document or
|
| B- not do that and not get a thumbnail, so I just look at the
| document outside of slack before attaching it?
|
| That's never been a complicated decision for me.
| gorlilla wrote:
| Soon enough every thumbnail will just be [THIS PAGE HAS BEEN
| LEFT INTENTIONALLY BLANK] once legal realizes and has IT push
| new corporate templates onto everyone.
| chinathrow wrote:
| Don't worry, the algorithm will find the most suitable page
| to minify for you.
| paxys wrote:
| The key feature of the integration isn't the thumbnail, but
| that Slack indexes your Google Drive files so they show up in
| search. That is absolutely worth it IMO.
| ceejayoz wrote:
| That's similarly bad, though, at times.
|
| If I search "Draft performance improvement plan for ceejayoz"
| and a document I don't have access to comes back, that's a
| fairly significant data leak.
| prng2021 wrote:
| Except that's not how it works. Your search results only
| include the documents you have access to.
| oooyay wrote:
| Disclaimer that I work at Slack.
|
| The search you experience runs against permissions so
| something like that doesn't happen.
| ceejayoz wrote:
| If Slack is already checking those permissions, fixing
| the thumbnail issue should be fairly straightforward,
| yes?
| mlhpdx wrote:
| Does that mean Slack has implemented, correctly, Gmail's
| complicated permission model? Glad I've never enabled
| that integration.
| theolivenbaum wrote:
| It probably just uses Google drive search API and
| includes the results into slack's own results.
| Y_Y wrote:
| > Disclaimer that I work at Slack.
|
| I suppose by this you mean that you _do_ work at Slack,
| but that 's not really a disclaimer, is it? More of a
| "claimer".
| SoftTalker wrote:
| The proper word here is "disclosure" not "disclaimer." I
| see this mistake all the time.
| ilyt wrote:
| And the worst part is that before web that just worked - file
| managed did the thumbnails (or custom open dialog) and nothing
| needed to be sent to cloud...
| madeofpalk wrote:
| Right - before you shared things with other people, it didn't
| have the problems of sharing things with other people.
| jjice wrote:
| Agreed and I think it's due to two things:
|
| - The app just requests may more permissions than required.
| Often times you'll see an app that just requires read access
| that is requested read, write, personal email, and blood of
| your first born.
|
| I worked on a service that integrated with a lot of services
| that store data that one would deep business sensitive. When
| I'd always minimize permissions while setting up development, I
| had PMs/decision makers require that we ask for maximum
| permissions so future changes are easier. Felt wrong to me.
|
| - The service (OAuth2 provider) not have fine-grained enough
| permissions. Sometimes there would only be the option for
| "read" or "write". Sometimes you'd get access to "read
| documents", but you couldn't restrict the type of documents.
| The more options there are, the more confusing it can be, but
| the more control and security the user has and I think that's
| much more important than development confusion.
|
| I will say that I really appreciated what Notion does where
| they'll give you the ability to approve access to individual
| pages and while querying for pages you'll only ever see ones
| you've been granted access. The other side is that now a user
| has to approve each next page. The is also the option to allow
| everything existing and going forward. I think that's a great
| middle ground that gives control to the user. Whether the
| average user takes advantage of that is another question all
| together.
| Obscurity4340 wrote:
| > Blood of your first born
|
| I mean, that's just straight-up reasonable. There's no free
| lunches on this world /s
| muglug wrote:
| This is a strange thing to publish in a company blog post
| (complete with interstitial adverts for Kapwing).
| frowin wrote:
| I don't see any problem here.
| muglug wrote:
| Full disclosure: I work for Slack.
|
| Typically if you think you found a security vulnerability
| and/or quirk, you contact the company before writing it up
| and hitting publish[1]. That way the company is not left in a
| potentially vulnerable state.
|
| [1] https://cheatsheetseries.owasp.org/cheatsheets/Vulnerabil
| ity...
| agnokapathetic wrote:
| This has been shared with Slack many times by many separate
| organizations and always closed with WontFix / Working as
| Expected
| shkkmo wrote:
| This was reported at least 4 years ago and Slack doesn't
| apparently view it as a security issue:
| https://nitter.net/SlackHQ/status/1171336897819529219
| p337 wrote:
| I disclosed this personally 4 years ago via hacker one. The
| larger issue, imo, is that it indexes the content and
| allows an attacker to craft search terms which reveal the
| full contents of the document sort of like a blind SQLi. I
| was told it was working as intended and my report was
| black-holed on h1 and was told via email that it was
| "informational" and not a vulnerability.
|
| It's lame to come on here and act like people reporting
| this are acting in bad faith. I asked for permission to
| talk about it and was granted it, so I don't see why the
| author of this post shouldn't be able to do the same
| considering he doesn't even get into the search indexing
| aspect. The company is in a vulnerable state due to
| negligence in addressing the issue, not because it was
| publicly disclosed.
| filereaper wrote:
| The title feels wrong and might cause panic.
|
| A preview picture of the documents first page is shared whether
| the user has permissions or not.
|
| The entire document is not shared like what the title seems to
| suggest.
|
| For sensitive documents, this can certainly be a leak but its not
| outright sharing in a traditional sense.
| gorlilla wrote:
| A preview of the first page is absolutely enough to put
| companies on the wrong side of government and/or industry
| regulations/compliance.
|
| It may not be as astronomically bad as you immediately
| imagined, but I don't see how the nuance makes any material
| difference with the urgency in which this would need to be
| contained/analyzed/investigated and reported timely where
| required.
| koolba wrote:
| > A preview of the first page is absolutely enough to put
| companies on the wrong side of government and/or industry
| regulations/compliance.
|
| So that whole, " _This page intentionally left blank_ ", is a
| security feature?
| benatkin wrote:
| Until the preview uses machine learning to skip that and
| show the first page containing content :)
| TeMPOraL wrote:
| Could be, except it's unlikely to be put on the _first
| page_ , so at the very least, this integration is leaking
| the title, classification and authorship - and through
| that, existence - of a potentially sensitive document.
| judge2020 wrote:
| This is the point of the Slack app though. It does notify you
| if x recipients can't see a document, but it doesn't attempt
| to hide it from those who don't already have access.
|
| Companies can turn off the Google Drive app in their Slack
| workspace and block it in Google Workspace admin (and
| generally allowlist which apps can request Drive permissions:
| https://support.google.com/a/answer/7281227?hl=en ).
| paxys wrote:
| It is also only shared if the owner posts a link to the
| document in a public channel.
| bachmeier wrote:
| As someone that has to do FERPA training every year, I would
| classify that as a disaster.
| Xelbair wrote:
| Except if this page contains PII.
|
| or sensitive company secrets
|
| or relevant details of business deals
|
| or is a payslip
|
| etc etc.
|
| It is a horrible breach, that shouldn't exist and should be
| fixed ASAP. Also due to GDPR concerns.
|
| Saying that it is non issue is very short sighted.
| ec109685 wrote:
| The reason it's implemented this way is that slack doesn't have
| the ability to generate a per user thumbnail based on the
| access rights of the document.
|
| As the sender of the slack link, Slack should give the option
| to include the preview or not, like it does for other unfurl's.
|
| Where there would be a major problem is if someone could trick
| slack to generate a preview of a link they don't have access
| to.
|
| Secondarily, I have seen slack show an obsolete preview, which
| could result in something accidentally shared.
| rjmunro wrote:
| Many of my documents are only one page, especially private
| confidential ones like communications with HR.
| darkerside wrote:
| Even more than that, the page is cached as it was at the time it
| was shared. I've seen this happen with documents that were later
| edited, with hilarious results.
| hunter2_ wrote:
| Isn't that the case with "unfurling" anything, though? Whether
| Slack generates a thumbnail or just pulls text from meta tags?
| Same with other apps like Teams, FB Messenger, etc? None of
| this is known to poll for changes frequently enough to avoid
| the hilarity of caching.
| jeromegv wrote:
| It seems odd because I did share Google Doc private docs very
| often in Slack in the past, and Slack would tell me that this was
| not a public document so it could not show a preview. So I wonder
| if something changed.
| freetanga wrote:
| If you keep your personal files on GDrive, they might be personal
| but they are not private.
| hunter2_ wrote:
| Would the terms established by Google, agreed to by a developer
| creating an integration like this, include a need to respect
| permissions unless the user explicitly requests (or is explicitly
| informed of) additional access for parties beyond those already
| granted access by Google's system directly? If so, it seems like
| this could be reported to Google who would pull it down and force
| Slack to comply, if Slack doesn't want to on their own.
|
| I suppose the installation of the integration already involves a
| Google-served message along the lines of "Slack will be able to
| see everything as you do" but that's not quite explicit enough
| for a user to then extrapolate "...and may share it however they
| like without telling you." Like of course they could, but they
| shouldn't, unless it's super clear, and it's not.
| btown wrote:
| https://developers.google.com/terms/api-services-user-data-p...
| is somewhat ambiguous on this front:
|
| > Limit your use of data to providing or improving user-facing
| features that are prominent in the requesting application's
| user interface;
|
| > Don't allow humans to read the data, unless: You first
| obtained the user's affirmative agreement to view specific
| messages, files, or other data, with the limited exception of
| use cases approved by Google under additional terms applicable
| to the Nest Device Access program...
|
| Did Slack make it clear to the user sharing their Drive link
| that the preview isn't just visible to them, but to anyone in
| the channel or who has access to the link? Was that clear
| enough to be affirmative agreement? Is the little area where
| the preview is shown while you're composing a Slack message
| prominent enough to display that it will include a screenshot
| of the data?
|
| Clearly, Slack thinks the answer to all these questions is yes,
| and Google either agrees or isn't enforcing their guidelines
| here.
|
| (...As an unrelated point, the fact that the Nest Device Access
| guidelines are an explicit exception to even this modicum of
| user visibility, that the guidelines aren't linked, and can be
| unilaterally changed by Google without notification to users
| is... well, why I don't own Nest devices.)
| machiste77 wrote:
| How would someone in the slack workspace discover the thumbnail
| image url?
| jrmg wrote:
| But the recipient already has access to the shared document?
|
| Is the concern that the recipient might share the link to the
| image? Again, they already have access to the shared document if
| they want to leak it.
|
| I don't think accidental discovery is possible - there's a long
| shard of random data in there. It's no more discoverable than the
| share link.
| p337 wrote:
| If you use the drive integration, you share it with Slack.
| Slack then creates a thumbnail that is visible in that channel.
| Imagine pasting a sensitive HR document in the big company chat
| with everyone in it. No one in the group may have permission
| via Google, but they can see the thumbnail (and search its
| contents!) if they have access to the slack room.
|
| Edit: I should note, this is my fuzzy recollection of how it
| worked 4 years ago when I reported it to Slack. YMMV
| jordigg wrote:
| This has been true since the integration was released and main
| reason it's been disabled at most companies I've worked at.
| Definitely nothing new and reported to Slack and Google multiple
| times, always replied with working as expected. If you don't like
| how it works, remove it. Recently the UI and options changed a
| bit and you can now disable previews but I believe is a user
| setting and not a organization setting.
| frizlab wrote:
| Same is true for tickets that have security policies in Jira.
| orliesaurus wrote:
| I understand importance of respecting access control but if
| you're sharing a Google Drive on a private or public slack
| workspace, you probably are doing it wrong to begin with because
| anyone who has access to the channel is ideally someone you trust
| with the content ur sharing
___________________________________________________________________
(page generated 2023-10-12 21:01 UTC)