Don't trust screenshots

Intro

Screenshots should not be considered as "proof" or "evidence" of anything. They're actually quite a bit less trustworthy than a traditional photograph.

Chances are that at one point or another you've seen a post on social media that consists of a screenshot of something another person allegedly said on the internet. Many, maybe even most, people view these posts with the assumption of their authenticity. They're often called "receipts."

Screenshots are often authentic, however, I want your first thought when seeing a screenshot, on social media or anywhere else, to be one of doubt. Don't be a sucker!

Let me show you why...

Example time

Here's two post screenshots, one being a fake, from one of my favorite software engineers, "Uncle Bob" Martin [1]:

Can you tell which one is fake?

How about these two screenshots of a BBC article [2] about killer otters?

If you go to the sources, you'll notice that the first screenshot of each pair has the real content, while the second is modified. But here's the thing, neither image was "tampered" with in any way. Both screenshots were captured in the same way from an open webpage in my browser. So what gives?

Some basic concepts

Any web developers reading this are already going to understand what I'm doing with the above examples, but for the rest of you, let me explain a few basic concepts.

Contrary to what you might assume, the website you're visiting doesn't actually have the final say on what shows up in your browser. Without getting too deep into how the internet works, just keep these concepts in mind:

• When you visit a website, your browser makes requests for various resources (text, images, etc.)

• Those resources are downloaded by the browser to your device

• Your browser then interprets those downloaded resources and presents them to you as best it can

What does this mean?

It means that the server hosting the website only has control over what it responds with when it receives a request. It has no control over what the requester does with any of it.

So who does have control at that point? The answer to that question is, your network, your computer, your browser and any extensions you installed, and, in case it's not obvious yet, you!

Manipulating local browser content

Alright, now on to the fun part.

In an effort to cater to us web developers, most modern browsers now have a robust suite of "dev tools" built in that would make hackers of the 90's and early two thousands blush.

The below steps are catered to Chrome and other Chromium browsers, however, other browsers will likely have the same features, with subtle variations in naming.

1. Pick a target website and go there (twitter, facebook, wherever)

2. Find something on the page you want to change (post, headline, etc.)

3. Right click on what you want to change and click, "inspect"

   1. 

4. This will open the browsers "dev tools" with the "elements" tab opened and the relevant content you originally clicked on selected.

   1. It should look something like this:

      

   2. What you're looking at is a markup language called html, but all you really need to know for the purposes of this article is that this "html code" determines what your browser renders as content (the text on the page).

5. You can simply double click on any text you want to edit and start typing changes. Press enter when you're finished. The new content will then be shown in the browser appearing exactly as it would have if it had came from the source website that way.

   1. 

Take a few minutes to play around. See what funny or even inappropriate things you can dream up. Then, ponder how many people you know that would fall for a fake screenshot you made... Scary huh?

What else can I change?

The short answer is, anything. You can add, modify, or delete any text, image, style, or behavior you like.

Keep in mind though, that this is just your local render of a page at a given point in time; once you refresh, any changes will go away and the page will be reset back to normal.

Consider how the fundamentals at play here likely power all your favorite browser extensions. Blocking trackers, forcing certain styles you prefer, or offering you spelling and password suggestions only work because you and your browser have the final say on your user experience.

Isn't this a huge security vulnerability?

No, it's not. Ultimately, it's not a security vulnerability that an individual user is able to modify the content in their browser. This is expected behavior, and just how the web works.

There are quite a few security implications to what we've discussed so far, but I won't go there in this article since that topic deserves quite a few of its own.

Conclusion

After reading this article, I hope readers will be more skeptical of the information they're exposed to on the internet, especially as it relates to the so called, "receipts" in the form of screenshots. Most of the time screenshots are what they are presented as, however, as we've discussed in this article, you cannot assume anything based only on a screenshot.

What can you trust?

You'll have to determine a standard for yourself, but here are a few considerations:

• Information that is corroborated by multiple independent sources is more likely to be true

• Sources with "skin in the game" are more reliable

  • A person or organization with a reputation is generally more trust worthy than the anonymous "brodudeman420" account you just found

• Trust yourself

  • Do some research!

  • If someone posts a screenshot of a website, go to the website and verify that the content is actually there. If it was deleted, try to find corroborating sources confirming that it was indeed there prior to being deleted.

Now, go forth with your new found skepticism, but do try to resist the urge to prank your gullible friends and family 😉

Unless of course, such a prank could open their eyes...