The Lightshot app generates URLs that are easy to guess or scrape, making it alarmingly easy for anyone to view grabs of private messages or intimate photos. People are unknowingly doxxing themselves and leaking their own sensitive private information using a popular screenshot app that sends people’s grabs to the web. The URLs of scores of screenshots captured by the app are easily discoverable online, leaving them open to data scrapers and criminals.
The Lightshot screen grabbing app, which is owned by software development firm Skillbrains, is used by millions of people to take and share images they capture on their computers and phones. After taking the screenshot, people have the option of uploading their image onto the company’s server with a publicly-accessible URL. Other choices include saving it to a desktop or sharing directly to social media.
The URL option is meant to allow users to share their screenshots with friends, family, or colleagues across social media platforms. More than two billion screenshots have been uploaded through Lightshot, the company’s website says. But the way the URLs are generated creates a major privacy problem.
All the URLs for screenshots follow a simple format: prnt.sc/ (Lightshot’s server), followed by a six-digit alphanumeric code. This means that anyone can type in prnt.sc/ and a random string of six numbers and/or letters, and potentially stumble upon another user’s uploaded screenshot. In fact, many have in the years since it was released.
The earliest stable release of Lightshot was in 2014, and since then the application has branched out across several browsers and operating systems. There are Mac and Windows apps, alongside extensions for Chrome and Firefox. There have been more than one million downloads of the Lightshot Chrome extension and 40,000 people use the Firefox version. On Android, it has been downloaded more than 500,000 times from Google’s Play Store.
WIRED looked at the results of 11,000 randomly generated Lightshot URLs and found sensitive personal information. Most of the URLs are innocuous or just come up with error messages stating that the screenshot has been deleted or can no longer be found. But many include content including names, addresses, contact numbers, bank details, and even screen grabs of intimate video calls.
An automatic web-scraping script found 529 live images at the 11,000 URLs generated. Around 63 percent of these are made up of video game screengrabs, coding instructions, apartment listings, and so-forth. So far so unremarkable.
Around 20 percent of images analyzed include information that could be used to steal someone’s identity or break into other online accounts. People shared grabs of chat logs, emails, and social media posts using identifiable usernames.
The analysis showed eight percent of public screenshots contained more sensitive personal information. These included six nudes captured from video calls; six screenshots of people’s private Facebook photos (some from children’s profiles); and 30 images containing names, log in details, bank information, phone numbers, IP and shipping addresses, and PO Box numbers.
“Making sensitive user data openly available in this manner creates an unfair imbalance where digital platforms profit at the cost of user privacy,” says Bhagya Wimalasiri, a research assistant at the Security of Advanced Systems Group in the University of Sheffield. Wimalasiri adds that such platforms are built on models that monetize the very feature of insecurity – either by mining data or creating seemingly convenient user functions.
Skillbrains, the owners of Lightshot, did not respond to multiple requests for comment. However, its terms of service highlight that images uploaded aren’t private. “Every image can always be accessed and viewed by anyone who types in that exact URL. No image uploaded to this website is ever completely hidden from public view,” the terms of service say. “Functionality of our website is not intended to be a secure platform; it's for sharing images.”
The ability to find highly sensitive information uploaded through Lightshot is an open secret. Web-scraping is a common exercise on Lightshot and people have uploaded their own scraping scripts to Github. One person uploaded a grab of 13,000 Lightshot images to data science website Kaggle; other tools claim to analyze screenshots and detect what’s in each image.
Lightshot’s terms of service say people are not allowed to upload files that have mature content or would constitute ‘abuse’ and violate the legal rights of others. However, when it comes to people’s personal information being exposed, there aren’t many warnings for those who are looking for a quick way to share a grab of what’s on their screen. Neither the user interface of the Lightshot tool or the homepage of its website clearly state that everything uploaded to it should essentially be considered public.
By accidentally doxing themselves, people open themselves up to an array of attacks. With the right data, criminals could steal your identity, withdraw money from your account or target them with phishing attacks.
Both consumers and companies are responsible for stopping personal information from being exposed. People should be aware of often unseen trade-offs between convenience and privacy and, with a bit more care, self-monitor the material they’re releasing into the wild web. On the app development side, scraping could be made far more difficult by generating URLs less formulaically. Just ask Parler.