Privacy Threat: Lightshot app

181
security threat | iTMunch

With rapid digitalization in almost all the fields, data security and internet privacy are topics that have attracted raging concerns. If you are surfing the internet and like something you see, and want to refer it later all you need to do it take a screenshot from your smart phone and it will automatically store the image in your gallery. But have you wondered if a similar feature is available in Windows or Mac? In such cases you have apps like Lightshot that allow you to capture a screen shot, store or share it with others through your computer.

Although this idea seems simple enough to be able to share information through screenshots, people unknowingly expose a lot of their personal data on the internet. This has raised several questions about data security associated with Lightshot. The company’s website suggests that there are around two million screenshots shared with the help of this app. To understand the safety concerns we first have to understand what lightshot does and how?

What is lightshot?

Lightshot application allows the users to grab a screenshot from their computers, but the special feature is that you can take the screenshot of a particular area on screen. This saves you the time of editing and cropping the image later.  Along with sharing it has some interesting options that allow you to search a similar image on internet simply by uploading your image in the search tab of Lightshot application.

The Lightshot screen grabbing app is owned by software development firm, Skillbrains. With the help of this app millions are taking and sharing the images from their computer and smart phones. People have an option, after taking the screen shot, to either save it on desktop or upload it to the company’s server with a publicly accessible URL or share it on social media.

SEE ALSO: Lawmakers ask U.S. intelligence chief to review if TikTok is a public safety threat

Why is it considered a threat?

The URL option is primarily meant to allow sharing of screenshots among family, friends or colleagues through different channels.  The method used to generate these URL is the main reason for the safety concerns. There is a very simple format to generate the URLs prnt.sc / (Lightshot’s server) followed by a 6-digit alphanumeric code. This means that anyone can enter prnt.sc / and a random string of 6 numbers or letters, and you may come across screenshots uploaded by another user. This has been done many times since its release.

2014 saw the earliest stable release of the application and since then Lightshot has branched across many browser systems and operating systems. Reporting the popularity of the application it is estimated one million downloads of the app on Chrome extension and 40,000 use it through Firefox. Android download data suggest that it has been downloaded more than 500,000 times from Google’s Play Store.

WIRED looked at 11000 randomly generated URLs to test if they revealed any sensitive personal data. Most of these URLs came back with a message that the data is no longer available or has been deleted, few showed errors where as few turned up with detailed information about the user including name, address, contact details and bank details, along with some private and intimate screen shots of video calls. An automatic web scrapping script found 529 live images from the 11000 generated URLs. Further analysis revealed that 63 % of this data were screen shots of video games, coding instructions, advertisement for apartment listings etc. These are not so significant in terms of security.

But 20 % data available had information that can easily lead to identity theft or financial frauds. The shared images had some chat logs, emails and social media posts that contained visible and identifiable user information.

Further analysis showed 8 % images contained sensitive information including nudes from video calls, screen shots of Facebook photos including that of children’s profiles and a few more containing names, login ids, bank and phone details, IP and shipping address etc.

Bhagya Wimalasiri, a research assistant at the Security of Advanced Systems Group in the University of Sheffield quoted “Making sensitive user data openly available in this manner creates an unfair imbalance where digital platforms profit at the cost of user privacy,”. She also added that such platforms are built on models that monetise the very feature of insecurity – either by mining data or creating seemingly convenient user functions.

These speculations have risen concerned about the data safety and on several occasion, Sillbrains, the owners of Lighthouse app, have been asked to answer.

Upon a closer look the terms of service of Lightshot app, it clearly states that the images uploaded are not private. “Every image can always be accessed and viewed by anyone who types in that exact URL. No image uploaded to this website is ever completely hidden from public view.” They clearly declare that, “Functionality of our website is not intended to be a secure platform; it’s for sharing images.”

The availability of sensitive data through images uploaded with help of Lightshot is not really a secret. Web-scraping is a common exercise on Lightshot and people have uploaded their own scraping scripts to Github.

According to the Lightshot’s terms of service images that contain mature content or “abuse” or data that violates the legal rights of others are not permitted to be uploaded. But there is very less clarity when it comes to people’s personal information. Neither the user interface of the lightshot tool nor the home page of its website states clearly that the data uploaded will be considered public.

There are several alternative to Lightshot like Greenshot, ShareX, Shutter, Snipping Tool, PicPick etc. People can always choose one of the options that suit their needs.

By accidentally doxing themselves, people make themselves vulnerable targets for several online attacks. This provides a unique opportunity for criminals to obtain sensitive information that can lead to identity theft, fake transaction from bank accounts, or target them with phishing attacks.

SEE ALSO: Clubhouse app: what’s the hype & how to get an invite?

Final word

Awareness and vigilance on the part of the users in terms of sharing personal data is essential to safeguard their own privacy. Being discrete and careful while sharing on the web is a precaution that the user has to take care. Use multiple options as alternative to lightshot in order to share screenshots. As for the developers of apps like Lightshot, need to make scraping more difficult by generating URLs that are less formulated. At the end it is the joint responsibility of user and service provider to ensure safety from exposing any personal information.

For more updates and latest tech news, keep reading ITMunch!

Subscribe to our Newsletter!