EnvShareApp
Back to Blog
Integrations & Security

Slack Security: Why Link Previews ("Unfurls") Are Leaking Your Data

E
EnvShareApp TeamJan 30, 20266 min read

You paste a link into Slack. A second later, a beautiful preview card appears with the title, description, and an image.
That preview just burned your one-time secret.

The "Slackbot Visit" Problem

To generate that preview (called "unfurling"), Slack sends a bot (`Slackbot-LinkExpanding`) to visit the URL you just pasted.

If you are sharing a "One-Time Password" reset link or a standard "Burn on Read" secret, Slackbot is the reader.

The Sequence of Destruction

  1. You: Paste https://app.com/secret/123 into #general.
  2. Slackbot: Immediately sends a GET request to that URL to fetch OpenGraph tags.
  3. Server: Sees the request, marks the secret as "Viewed", and deletes it.
  4. Recipient: Clicks the link 2 seconds later.
  5. Recipient sees: "404 - Secret Not Found".

This is a classic problem with simple "burn-on-read" tools. They treat bots and humans as the same thing.

How EnvShareApp Solves This ("Smart Unfurling")

We built EnvShareApp specifically to play nice with Slack, Discord, and Teams. Instead of blocking bots (which breaks previews) or letting them burn secrets, we implemented Smart Unfurling.

1. Zero Knowledge Previews

Remember, we cannot read your secret. The decryption key is in the URL fragment (`#key`). Browsers typically do not send the fragment to the server during the initial page load.

Slackbot visits envshare.app/s/xyz but does NOT send the #decryption_key. This means Slackbot physically cannot read the secret, even if it wanted to.

2. Metadata-Only Responses

When our server detects a bot User-Agent (like Slackbot), we serve a special <head> only response. We return Safe Metadata via OpenGraph tags:

<meta property="og:title" content="Secure Secret (Encrypted)" />
<meta property="og:description" content="Expires in 59 minutes. 1 View remaining." />
<meta property="og:image" content="https://envshare.app/preview-lock.png" />

This tells Slack: "Here is a nice preview card showing the expiry status," but it does NOT trigger the "Burn" logic because the key wasn't provided.

The Result: A Beautiful, Safe Experience

Instead of a broken link or a premature burn, your team sees this:

EnvShareApp
Secure Secret (Encrypted)
Expires in 1 hr • 1 View remaining
End-to-End Encrypted
(Simulated Slack Preview)

Bonus: The "Slack App" Integration

For even better security, use our native Slack App. It allows you to type /envshare my-secret directly in the message box.

The command generates the link privately and posts it for you, ensuring you never even have to paste it into the clipboard.

Conclusion

Don't let "helpful" bots destroy your security workflow.EnvShareApp is aware of the modern chatbot ecosystem and protects your data from accidental bot-clicks.

Related Resources

For Remote Teams

Async credential handoffs with Slack

Slack Smart Unfurling

How we prevent bots from burning secrets