21 million screenshots in one open  bucket.

Don’t Say ‘Spyware’

What’s the craic? Paulina Okunytė reports: Employee monitoring app leaks 21 million screenshots

“Basic security hygiene ignored”
Your boss watching your screen isn’t the end of the story. Everyone else might be watching, too. [We] have uncovered a major privacy breach involving WorkComposer, a workplace surveillance app used by over 200,000 people.
…
The app, designed to track productivity by logging activity and snapping regular screenshots of employees’ screens, left over 21 million images exposed in an unsecured Amazon S3 bucket, broadcasting how workers go about their day. [They’re] extremely sensitive, as millions of screenshots from employees’ devices could not only expose full-screen captures of emails, internal chats, and confidential business documents, but also contain login pages, credentials, API keys, and other sensitive information.
…
WorkComposer is one of many time-tracking tools that have crept into modern work culture. Marketed as a way to keep teams “accountable,” the software logs keystrokes, tracks how long you spend on each app, and snaps desktop screenshots every few minutes. … Time-tracking tools already sit in murky ethical territory. … The leak shows just how dangerous this setup becomes when basic security hygiene is ignored: [It] turns everyday work activity into a goldmine for cybercriminals.

Is it still live? Amber Bouman clarifies: 21 million employee screenshots leaked

“Iffy ethical territory”
Though the company did secure access after being contacted, … the data was exposed in real-time to anyone with an internet connection. [The] screenshots … could be used not only to attack businesses themselves but to commit identity theft, hijack employee accounts or commit further breaches.
…
The companies that have been using WorkComposer could now be subject to E.U. GDPR (General Data Protection Regulation) or U.S. CCPA (California Consumer Privacy Act) violations along with other legal actions. … Since workers have no control over what tracking tools may capture in their workday, be it private chats, confidential projects or even medical info, there’s already an iffy ethical territory around tracking tools.

“Iffy”? You can say that again. Sead Fadilpašić says that again: App leaks 21 million screenshots on thousands of users

“Many companies don’t truly understand”
WorkComposer is basically a surveillance tool built primarily for remote workers, allowing bosses and managers to keep track of what their employees are doing. It logs hours, app use, but most importantly, it grabs screenshots every 20 seconds.
…
These screenshots show what the employee is working on at any given time, which could include sensitive [information]. Undefended, or poorly protected databases are one of the most common causes of data leaks. … Security researchers are warning that many companies don’t truly understand the concept of “shared responsibility” when it comes to securing the cloud.

What price privacy at work? It’s worse than that, thinks ScamMerica:

Not only is this an invasion of privacy, but it seems like a major security risk for the companies using the service. Who knows what sensitive company secrets could be onscreen when those images are captured? It’s also exactly the sort of exploit that Chinese state actors pull on US companies.
…
I’d also add, that you shouldn’t be logging into any sensitive personal accounts on your work computer or even your personal phone or laptop over their wifi network. The companies themselves cannot be trusted, nor can their other employees, or third party services.

How come we’re still hearing about unsecured S3 buckets? DarkOx despairs:

How old is the product? It used to be much easier to make S3 buckets public.
…
What is rather inexcusable here is the most basic of security reviews: [Even] a completely automated CIS Benmark check—point click go—should have picked up public permissions on a bucket.

But why on Earth do companies spy on their staff like this? Because, blurts Bumbum:

Because a few bad apples spoil the whole bunch and ruin it for everyone.
Because middle managers have to justify their pitiful existence.
Because God forbid I take 5 minutes of company time to step away from my desk to regroup or stretch.
Because executives get off on controlling their underpaid, desperate peons.
Shall I continue?

The Peter Principle is still a Thing, I guess. drnb summarizes thuswise:

I expect it’s motivated by remote work. Judging progress towards a goal would require a manager who is well qualified to judge the amount of work necessary for a task, to be in frequent communication with an employee to know of any unexpected problems delaying completion, perhaps helping to address those problems, etc.
…
It would require management to be doing a lot of work keeping informed and up to date and being useful. An app that tells them how many hours a day someone is moving a mouse or typing at a keyboard is so much easier. … Actual metrics or progress are hard to get.

Why can’t bosses trust their staff? “Human nature is against it,” is Abner’s analysis:

There are some employees who can’t be trusted, and there are bosses who are control freaks. Reasonableness is as rare as “common” sense.

What is this reminding me of? RitchCraft puts their finger on it:

Wait for it. This will eventually happen to Microsoft Recall—on a much grander scale.

Meanwhile, @MikeBalroop gets meta:

I am reading this article right now at work—when I should be working.

And Finally:

Agency for Defense against Hallucinatory Disruptions

Hat tip: Pompey Monkey, who says it’s “best turned up loud enough to annoy the neighbours.”

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites—so you don’t have to. Hate mail may be directed to  @RiCHi, @richij, @[email protected], @richi.bsky.social or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: From Marwool (via Unsplash; leveled and cropped)