Hi @NidhiRaj ,
Thank you for posting the announcement also here.
I believe there is a risk to leaking information in the way the guest users are implemented.
As I understand, guest users can’t @ mention other users. However some apps implement a “user picker”. Through this user picker, guest users can get to know other users, while that should not be the case.
Related to that, some apps do workflows and change the permissions of content based on what users do. If a guest users takes such an action, the permissions of content can be changed by an app if the app is not aware of the guest user status. This is in contradiction to the expected case that:
I believe there might be many more cases where (unintentionally) security issues might arise, i.e. through actions in webhooks initiated by a guest user. Many apps do an action based on the underlying permissions model and the understanding that the user is a regular user. If that changes, the underlying permissions model changes by adding a new permission type for guest users.
Can we get more detailed information on the impact of information leakage, and what apps are supposed to do?