[jszymborski]

Is it all that much more a risk than taking a screenshot, putting it on cloud storage like OneDrive/GDrive, and sharing with a "anyone who has the link" permission?

B/c I feel like that is super common and kind of impossible to stop with a permissions approach.

[ceejayoz]

Yes?

When you take a screenshot, its contents are known and fixed.

When you regularly and automatically refresh a screenshot of a particular x/y coordinate part of a specific screen on a website, what happens when "positive customer interactions" gets moved, and "internal notes on this customer, not for sharing with them" gets put in that spot?

[marktolson]

Perhaps they can make it so that the element's XPath / node id is stored and used for capture rather than X + Y coordinates. Still prone to failure I know, but ultimately more reliable.

[olalonde]

My guess is this works by uploading your browser's data (cookies, local storage, etc.) to Plus so that it can retake the screenshot with a headless browser even if the web page requires authentication. So if someone hacks Plus or if some employee goes rogue, they can potentially access any web app you are taking screenshots of.

In other words, if Plus becomes popular, its database will become a prime target for hackers and three letter agencies.

[btown]

Based on the Chrome extension's minified source code (via https://chrome.google.com/webstore/detail/plus/bnebanooamokk...), with files like runReloadCurrentSnapshot.js, it seems that Plus's background worker is loading pages (possibly as pop-unders) in your browser as you use it, using whatever your current cookies & localStorage credentials happen to be.

What this means is that (whether now, or with an update that could easily slip the notice of Chrome Web Store auditors) Plus could direct your browser to take these actions on a domain where you had never explicitly told it to take a screenshot, using not only the credentials from when you installed Plus but whatever credentials exist on an ongoing basis.

Of course, this is also true of any extension that you grant permission to access all websites. But Plus has already shipped the code to access the DOM of arbitrary tabs already loaded in everyone's browser, and communicate that information to the cloud, without an auditable open-source core. I have a lot of trust, for instance, that if uBlock Origin were to start sending my data to the cloud, someone would post about it on HN. An attacker with the ability to send updates to the Chrome Web Store as Plus, and operate Plus servers as command-and-control servers, could do this a lot more subtly, and that's definitely a yellow flag.

[blowski]

All tech companies, if succesful, will one day be a target for hackers and security agencies.

[graypegg]

That screenshot possibly becomes outdated the second after it’s snapped. This seems to be able to store session data from the user that took the screenshot, and will happily allow anyone access to view it.

The example video shows him taking a screenshot of an Amplitude dashboard using a browser plug-in. Thinking about how that’s possible, it must be skimming the session cookie off the browser, and using it to request the same page on Plus’s side to generate an image. You can imagine how that might be compromising.

Edit: you log in within the plus web app itself, which feels a little better. Still no totally secure way to do this but seems really useful.

[hnlmorg]

A lot of orgs lock down access to cloud storage (eg only company managed OneDrive on company managed devices) to prevent these kinds of data leakage. So they’d block access to this tool too.

[rejectfinite]

Well managed companies will use one approved cloud tool like Onedrive or Gdrive and turn that off in permissions if they want. Just like this site will and should be blocked if it gets popular enough.

[croes]

One manually taken screenshot vs dozens of screenshot taken automatically