https://bugs.kde.org/show_bug.cgi?id=521523
Bug ID: 521523
Summary: Spectacle silently leaks your screenshots pre
edit/redaction
Classification: Applications
Product: Spectacle
Version First unspecified
Reported In:
Platform: CachyOS
OS: Linux
Status: REPORTED
Severity: major
Priority: NOR
Component: General
Assignee: [email protected]
Reporter: [email protected]
CC: [email protected]
Target Milestone: ---
Created attachment 193199
--> https://bugs.kde.org/attachment.cgi?id=193199&action=edit
1min clip of bug in action
## Summary
In Spectacle's annotation editor, after editing an image and saving with
Ctrl+S, the "Copy Image" button shown in the post-save notification toolbar
copies the **original, unedited capture** to the clipboard rather than the
edited image. The file written to disk is correct; only the clipboard is wrong.
This is shipped behavior in default settings and constitutes a serious
data-leak hazard. Spectacle's annotation tools are routinely used to redact
sensitive information (passwords, identifiers, PII, internal hostnames, tokens)
before sharing screenshots. Users who follow the visually-promoted
save-then-Copy-button workflow silently leak the unredacted image to any paste
target.
Attaching 1 min clip with the bug in action.
## Steps to reproduce
1. Capture a region containing readable sensitive text
2. Open the annotation editor; draw a filled rectangle covering the sensitive
text
3. Ctrl+S to save the image
4. In the post-save notification toolbar (default-visible), click "Copy Image
to Clipboard"
5. Paste into a target without a preview thumbnail (catbox.moe, plain HTTP
form, IRC, terminal upload tool)
## Actual behavior
The pasted image is the original capture without the redaction. The saved file
on disk contains the redaction correctly.
## Expected behavior
The post-save Copy button copies the same content that was just saved — the
edited image.
## Diagnostic evidence
`wl-paste --list-types` differs between the initial capture event and the
post-save Copy click:
After initial capture:
```
image/webp (primary)
application/x-qt-image
x-kde-force-image-copy (force flag)
application/x-kde-suggestedfilename
image/png
[further QImage formats]
```
After clicking post-save Copy:
```
application/x-qt-image (primary)
application/x-kde-onlyReplaceEmpty (polite-only-if-empty flag)
image/png
[further QImage formats]
```
The capture event uses `x-kde-force-image-copy`; the post-save Copy event uses
`application/x-kde-onlyReplaceEmpty`. Both events deliver the same unedited
bytes.
Saved file is edited; clipboard contents are not.
## Why this is severe
1. Default settings — no opt-in required to land in the bug
2. The notification toolbar visually foregrounds the Copy button immediately
after save, making it the apparent intended workflow
3. Every other verification signal (editor preview, save notification, saved
file on disk) shows the edited result
4. No logical user-side check catches this — only pasting and inspecting the
output reveals it's the pre-edit version
5. Paste targets without preview thumbnails (catbox, HTTP uploads, IRC,
terminal tools, chat apps in attachment-only mode) are exactly where redacted
screenshots are commonly shared
6. The annotation editor's primary use case overlaps heavily with redaction
## Environment
- Distro: CachyOS x86_64 - Linux 7.0.12-1-cachyos
- KDE Plasma Version: 6.6.5
- KDE Frameworks Version: 6.27.0
- KWin version: 6.6.5
- Spectacle version: 6.6.5
- Display server: Wayland
- Qt version: 6.11.1
--
You are receiving this mail because:
You are watching all bug changes.
