A strange bug leads me to discover an undocumented Chrome for Android feature which is potentially a privacy hole. Aymen Follow Nov 21, 2018 · 2 min read

When I find an interesting article on my phone and like to continue reading it on my computer I usually use Pushbullet. Last week when I tried sharing a page from chrome on my android phone to my computer a strange thing happened rather than a new tab opening with the link I shared, a file started downloading to my computer, thinking it might be some text file with the link I tried opening it using a text editor which it turned out to be a binary, a quick file check on a terminal revealed it was, in fact, a jpg file. opening the file strangely it was the screenshot of the tab I shared, surprised because I shared multiple times before and this never happened I tried sharing another tab but this time it worked as expected, so looking at the link I shared before, the only thing that stood out was, it had “dev” TLD (top-level domain) and trying other pages with “dev” TLD and some random TLDs I manage to replicate the bug and reported it to the Pushbullet developers.

Wondering how Pushbullet got the screenshot in the first place to send rather than the link as it usually does, I started investigating how the Chrome share works and what is included in the intent, for that I decided to create a test app which will register to handle all shares and print what is included in the intent, testing it, on my Android 9 device with Chrome 70.0.3538.80 installed,I saw it is chrome that is sharing the screenshot as part of the share intent. using a key “share_screenshot_as_stream”.