A strange bug leads me to discover an undocumented Chrome for Android feature which is potentially a privacy hole.
When I find an interesting article on my phone and like to continue reading it on my computer I usually use Pushbullet. Last week when I tried sharing a page from chrome on my android phone to my computer a strange thing happened rather than a new tab opening with the link I shared, a file started downloading to my computer, thinking it might be some text file with the link I tried opening it using a text editor which it turned out to be a binary, a quick file check on a terminal revealed it was, in fact, a jpg file. opening the file strangely it was the screenshot of the tab I shared, surprised because I shared multiple times before and this never happened I tried sharing another tab but this time it worked as expected, so looking at the link I shared before, the only thing that stood out was, it had “dev” TLD (top-level domain) and trying other pages with “dev” TLD and some random TLDs I manage to replicate the bug and reported it to the Pushbullet developers.
Wondering how Pushbullet got the screenshot in the first place to send rather than the link as it usually does, I started investigating how the Chrome share works and what is included in the intent, for that I decided to create a test app which will register to handle all shares and print what is included in the intent, testing it, on my Android 9 device with Chrome 70.0.3538.80 installed,I saw it is chrome that is sharing the screenshot as part of the share intent. using a key “share_screenshot_as_stream”.
Looking if this is a documented feature, I was not able to locate any place this is mentioned as a feature but searching for the key “share_screenshot_as_stream” I found it in a few places and in the source code for chromium.
The privacy concern I have with this is, as a user, my expectation when I share from chrome to a third party application is I am sharing what is displayed on the address bar and nothing more also Chrome doesn’t inform me it is sharing the screenshot. screenshot might also expose private information to a third party application, If this is a feature that is needed at least it should inform the user and give an option to share or not to. I hope Chrome developer team fix this on future releases.
