THURSDAY, MAY 7TH, 2020
The Art Of Lightshot, Or: How I Learned To Start Worrying, Oh God, Oh Jeez, Oh Fuck
THE LATEST SCOOP
I would recommend to anyone looking for screenshot software to use ShareX. Its free, open source, hugely configurable, has a ton of neat features...
And, most importantly, it seems the upload feature just uploads to Imgur. People understand that Imgur is public. It is also opt-in, so you're not likely to accidentally throw your stuff online. It would be wildly irresponsible to make that the default, right?
So let's talk about Lightshot!
If you're unaware, Lightshot is a popular competing program for taking screenshots. It has far less features, but whatever, it seems to get the job done perfectly fine...
Except, oops! Lightshot might be one of the biggest security leaks in the history of the world.
On Lightshot, your pictures are uploaded to a public url. And, sure - Discord and other services do that too, with any image you upload. But the crucial difference is that Lightshot's urls are so short and so simple that there is nothing stopping you from, say, increasing the url by 1, and finding someone else's image. Imagine if you could do that with Discord images, eh? To put it lightly, it would be a *problem.* a big one. A lot of people use Discord, and I think a lot more use Lightshot.
Lightshot, of course, tells you on its site that it isn't for secure screenshots... if you click to their privacy page and bother reading, which nobody in history has ever done. The result of this is that you have millions of people putting their potentially private screenshots up online. Anyone else can access those images extremely easily. I think you can see where this is going.
Here, to make it even easier, someone's made a site to skim these screenshots! Use at your own risk, by the way.
Click it a couple times and i'm sure you'll see some interesting things. Game chats, random websites, spreadsheets, programs, pornography...
Code which might be secret.
Credit card numbers.
Bank account information.
And these aren't just in English! If you look around, you'll find that they're in a wide variety of languages, from Russian to Portuguese. This clearly isn't an issue limited to just the United States.
None of the screenshot-skimming sites I've found comment on the ethical concerns of this, and yet within maybe five clicks you'll likely see something sensitive. It's trivial to set up something like this, and it would be barely less trivial to download the entire website's database with literally the simplest bot ever.
How many company databases are compromised by this? How many intimate moments? Government secrets? Illegal actions? You can report sensitive images, but when there are so many being taken every second, and so many potential ne'er-do-wells out there willing to exploit this, it's a laughably impossible effort. The only way to solve this would be to immediately take down all of Lightshot or change its URLs, but how many hotlinks would that break across the entire internet? And, surely, the world governments concerned with privacy would have shut this down already... were it not beneficial to them. (But let's not get conspiratorial here.)
So, short-term? Move to ShareX, or something else. If you have a Lightshot account you can delete your images. But, in the longer term, consider that nothing you put online is private. What if it comes out tomorrow that everything in Google Drive - even supposedly hidden shit - was visible to anyone who used some website? What if Discord's images ARE easy to find in order in a similar way to Lightshot? What if, tomorrow, every half-finished script, 3 am rambling, dodgy conversation, and terrible choice you made in your notes app was put on a digital billboard?
In moving to the cloud, we've given up our privacy - so be mindful of what you do up there. You never know who's watching from the ground.
Disclaimer: Please do not commit any crimes because of this information. If you see sensitive details, just report the pictures - these people don't deserve corporate sabotage, identity theft, and the like. and also you will probably go to jail.
THURSDAY, MAY 7TH, 2020