Hacker News new | past | comments | ask | show | jobs | submit login
Show HN: Plus – Self-updating screenshots (plusdocs.com)
307 points by alixaxel 8 months ago | hide | past | favorite | 118 comments

This seems cool at first glance... but will users understand that this tool basically hijacks your user session to refresh the screenshots? In other words, this tool can only update a google analytics chart if you give it access to your gmail? That's scary.

It also circumvents 2fa, because sessions are leaked to Plus after you've used your TOTP code or Yubi key. How can any business be OK with this??

> How can any business be OK with this??

First step is probably "don't look too closely" (:

I agree though — I would not want this thing doing who-knows-what-unverifiable-fiddling with my data and credentials.

I worked for a personalization vendor a few years ago and was on an engineering team that built a feature like this. It was ... a major headache, and I don't think anyone was ever completely comfortable with the security implications.

So I wish the team good luck, and especially with issues like:

* A/B testing. How can you ensure that what your clients are seeing is the same thing you are seeing? Maybe you've been assigned to different A/B groups.

* Extensions. What if your clients are using Chrome extensions that affect how the page is rendered? How can you replicate that?

* Networking/auth issues. What do you render if you're unable to connect or log in?

We appreciate the good luck! We're definitely going to need it. I spoke to the security side in a previous comment, but here's some thoughts on the other points you mentioned:

* A/B testing: We're grabbing the browser session data, which includes things like cookies and local storage. In our experience, this tends to be where A/B testing group identifiers are stored. But, if it was on something like the IP, then, yeah, it is pretty hard for us to get around.

* Extensions: Yeah, this is a really tricky one. We've resorted to asking some of our more active customers, who've had these issues with content blockers, to use a separate browser profile. One thing we do for this (which also can help solve the first point) is what we call "smart capture", in which we capture based on a DOM selector, instead of x/y coordinates. That way, no matter the page layout, we get it right. The hard part of this, though, is this is not reliable on every site, and we've only enabled it on sites that we know it works well on.

* Networking/auth issues: This is a really fun one! I mentioned it in another comment, but we're doing some logic around detecting logged out state, with an image classification model, and checking the HTTP status code for resource requests. When we can detect it, we send the user an email, and give them a flow where they log back in, and allow our extension to capture the state data again. On networking, we can't get around things like corporate intranets of course, but these seem to be rare for our customers. We also will just retry the capture if there's a network error, and we notify people when there are errors, so they can take action accordingly.

So you keep client cookies and auth tokens… somewhere?

Sounds like one of those cases where convenience trumps security for business users and the engineers keep their palms close to their faces.

There is a payment provider in Europe that has become rather popular, who implement "instant" payments by asking for your online banking credentials... Security best practices always go out the window when they interfere with the business case.

> We’re grabbing the browser session data

Correct me if I’m wrong but this is disallowed by many end sites eg Google and circumvents oauth/any real security. If your very new business was hacked in any way you’d be solely on the hook for the massive damage a bad party could do with such an elevated session with no real boundaries.

Cool idea, but I fail to see how this is 1) legal under many ToS’s and 2) not just a dangerous XSS attack waiting to happen.

I had the same thought, It's a novel idea but the security / practicality of it all is a nightmare to think about.

> What if your clients are using Chrome extensions that affect how the page is rendered? How can you replicate that?

You should not rely on anything on the client side, just accept the fact you don't control the code that is run there.

If you care about a few cases like adblockers, just test them in a headless browser.

Tangentially related question, what are the most successful products built around browser extensions? I sometime have ideas that would require browser extensions, but it feels like the target market must be computer literate for any chance or success (no mobile support for example).

It depends on your definition of success, but the list is bound to include Adblock, Grammarly, Honey and some password manager. And at least Grammarly and Honey are not specifically targeted at computer literate people.

Honey was primarily a browser extension. 4 billion exit

Take a look at Grammarly. A decacorn chrome extension

There seem to be a lot of those chrome video recording/school ones, like Loom. Seems like a lot of schools use it to record lessons. Being on Chromebooks I would think they are used to installing extensions, if allowed! Usually that is on a whitelist basis.

Do not know how much money it brings in though.

Possibly Pinterest. I am not sure if the browser extension was 100% necessary for Pinterest to succeed, but I remember it being part of the new user sign-up flow, at least at one point.

Rakuten (formerly Ebates).

Fakespot and Bubbles have raised millions. Will see how they go


Hey, I helped build this! Thanks for submitting this.

I'm an engineering manager at Plus — would be happy to answer anyone's questions about our product. You can also shoot me an email at zach(at)plusdocs.com if you'd like to hear more about what we're up to.

Minor thing: I can't watch the video because of the tracking system and my adblock. but cool project!

I'll flag this to our designer. Thank you!

Any Googlers in the team ?

No Googlers, but we do have some ex-Meta and ex-Microsoft! https://www.plusdocs.com/company

This seems like a spectacular way to break permissions restrictions and escape data to non-authorized entities. If it's successful, it's the sort of thing that will be brutally blocked by IT all over the place.

Very slick, though.

(I'm an EM at Plus) Yeah, we think about the permissions/data escape a lot. I'm glad to see others are commenting with scrutiny too. We've put a lot of effort into our security model, since we know that we're handling very sensitive data.

To give a bit of a peek in: All of the session data we store is encrypted with a key unique to each organization, managed through AWS KMS. We've also built a fully event driven architecture, so every action that occurs in any of our services is logged and auditable. Access to our production data is extremely limited, with our default role grants not allowing access to sensitive data at all. (We have an in-app issue reporting tool to let a customer grant us access to debug data)

Overall, our hope is that we can work with IT departments to help them understand how Plus works, and allay their concerns if a company sees value in using Plus. Making sure our security model is top notch is one of the top priorities for our engineering team.

Might be useful when an image url is embedded in another page (like notion for instance), that it become a two-step workflow, so you have to go back to your Plus dashboard and allowlist that specific page that is the requestor.

That way, if someone takes the url of the image and shares it, it doesn't work without the owner allowing it again.

Of course, this isn't meant as a security measure as it would be trivially simple to circumvent, but more of a way of keeping track of the general surface area of how widely shared and image and putting the power in the users hands to reign it in.

As someone in IT, but as a lowly technician, medium and large companies are leaning more and more towards a locked down Microsoft, Google, or Apple platform with managed browsers with extension whitelists, and whitelist allowed OS apps only via MDM.

It's both a tech and management thing. Management likes the control and less risk, and having one console to login to as opposed to 4 makes things easier for IT.

Just a general comment.

Do you support apps that do proper session invalidation (auth cookie can't be reused after the user signs out for example)?

The cases I'm thinking about would more be internal data protections.

I'll give an example:

We have wikis that are internally and externally accessible, with permission systems for internal users and external partner users that carry different restrictions (e.g., VPN concentrator address range restrictions). If someone tries to access a page in the wiki that they don't have access to, the result is the same as if the page doesn't exist. This reduces leakage from link-guessing (I bet there's still a timing side-channel attack). Additionally, if someone builds a page that uses excerpts from pages that they don't have access to, the excerpt will appear blank. This has led to plenty of funny meetings where one party was talking about a status or readout and the rest of the room was deeply confused (due to a lack of access).

This particular wiki is one of dozens of internal tools with similar (but not identical) compartmentalization protections that I use weekly. Unless Plus can safely and securely account for such restrictions, it's going to be a tough sale for us, and limited coverage areas from partial integration would likely leave the tool with usage start-up issues. To some extent this is a classic uncrackable nut, as the most natural approach (integrate with services and systems) isn't entirely under the control of one party. The next left turn is to integrate with popular software/service providers, something they'll resist due to the natural incentive to avoid disintermediation and the high risk of incorporation of other access models.

Maybe in 10 years Plus will have been the source of a comprehensive delclarative permissions modeling system replete with formally verified macro system composition (boil the ocean style), or maybe I'm missing a clever simplifier to address these and other headwinds stemming from business model and tech architecture intersections. Either way, the explainability of the feature and the end-customer simplicity leave me hoping that things work out. It'll definitely be an interesting ride.

Highly tangential to Plus, but this issue is highly prevalent in IT. Usually, no one knows what systems there are and who has access to what. So Plus (or whoever) cannot really solve this problem without providing separate access management tooling

An idea, that you’ve probably thought of, but is it possible to do this without allowing others to update the screenshots? Updating would require the user(s) who produced the document to be logged in to the service.

Guess, adding source string at the bottom on Plus screenshots might be at least a partial solution:

> Source: <URL/WebsiteName>, <AccessDate>

Is it all that much more a risk than taking a screenshot, putting it on cloud storage like OneDrive/GDrive, and sharing with a "anyone who has the link" permission?

B/c I feel like that is super common and kind of impossible to stop with a permissions approach.


When you take a screenshot, its contents are known and fixed.

When you regularly and automatically refresh a screenshot of a particular x/y coordinate part of a specific screen on a website, what happens when "positive customer interactions" gets moved, and "internal notes on this customer, not for sharing with them" gets put in that spot?

Perhaps they can make it so that the element's XPath / node id is stored and used for capture rather than X + Y coordinates. Still prone to failure I know, but ultimately more reliable.

My guess is this works by uploading your browser's data (cookies, local storage, etc.) to Plus so that it can retake the screenshot with a headless browser even if the web page requires authentication. So if someone hacks Plus or if some employee goes rogue, they can potentially access any web app you are taking screenshots of.

In other words, if Plus becomes popular, its database will become a prime target for hackers and three letter agencies.

Based on the Chrome extension's minified source code (via https://chrome.google.com/webstore/detail/plus/bnebanooamokk...), with files like runReloadCurrentSnapshot.js, it seems that Plus's background worker is loading pages (possibly as pop-unders) in your browser as you use it, using whatever your current cookies & localStorage credentials happen to be.

What this means is that (whether now, or with an update that could easily slip the notice of Chrome Web Store auditors) Plus could direct your browser to take these actions on a domain where you had never explicitly told it to take a screenshot, using not only the credentials from when you installed Plus but whatever credentials exist on an ongoing basis.

Of course, this is also true of any extension that you grant permission to access all websites. But Plus has already shipped the code to access the DOM of arbitrary tabs already loaded in everyone's browser, and communicate that information to the cloud, without an auditable open-source core. I have a lot of trust, for instance, that if uBlock Origin were to start sending my data to the cloud, someone would post about it on HN. An attacker with the ability to send updates to the Chrome Web Store as Plus, and operate Plus servers as command-and-control servers, could do this a lot more subtly, and that's definitely a yellow flag.

All tech companies, if succesful, will one day be a target for hackers and security agencies.

That screenshot possibly becomes outdated the second after it’s snapped. This seems to be able to store session data from the user that took the screenshot, and will happily allow anyone access to view it.

The example video shows him taking a screenshot of an Amplitude dashboard using a browser plug-in. Thinking about how that’s possible, it must be skimming the session cookie off the browser, and using it to request the same page on Plus’s side to generate an image. You can imagine how that might be compromising.

Edit: you log in within the plus web app itself, which feels a little better. Still no totally secure way to do this but seems really useful.

A lot of orgs lock down access to cloud storage (eg only company managed OneDrive on company managed devices) to prevent these kinds of data leakage. So they’d block access to this tool too.

Well managed companies will use one approved cloud tool like Onedrive or Gdrive and turn that off in permissions if they want. Just like this site will and should be blocked if it gets popular enough.

One manually taken screenshot vs dozens of screenshot taken automatically

Love the idea. Execution is tricky like others mentioned, but this is one of those slap forehead ideas on how simple and game changing it is if you can pull it off.

This seems identical to the live screenshots you can add to an easel in the Arc browser [1]. I've created a view with that that shows a collection of different analytics sites, that all update automatically. Only downside is that occasionally you have to login to keep those views up to date.

[1] https://youtu.be/ukquBSOpmTk?t=290

Came here to say the same thing. The easel feature in Arc can do this.

Arc browser https://arc.net/

This functionality reminds me a networked version of an obscure (but sometimes useful) Excel feature, the "Camera Tool":


Basically, it lets you select a range on a worksheet, and then shows a live updating picture of that range in a new region (possibly in a different sheet). Why is that useful? Well, the range can contain charts in addition to just cells with data. It can be handy to have the charts actually defined in the sheet where the data is stored, so that let you do this while still displaying the chart in the sheet where you want to show it.

I love arcane tools like this. I'm definitely going to share this with our team. Thanks!

This is awesome. Can't believe I've never seen this before.

Very cool. How does Plus handle updating screenshots taken on authenticated pages once that authentication has expired?

(I'm an EM at Plus) It's a bit complex, and not quite perfect, but I'm pretty happy with what we've done so far. The first method is by looking at the HTTP status codes. Since we're running a full browser on our side, we can tell if the status codes that returned are different than the initial capture. We also have been training an image classification model on pictures of log-in screens — this has worked surprisingly well, honestly. We've started expanding it to other types of "incorrect" screenshot scenarios as well, like loading screens, and we're seeing some cool early results.

Ok but once it's recognised a login screen, what does it do? And presumably you can't use this for sites that require frequent MFA...

From another commenter, it prompts the screenshot "owner" to refresh

Why would running a full browser be relevant to knowing HTTP statuses of requests?

Our product works by taking a screenshot using a headless Chrome instance. In this case, it's helpful because we can look at not just the status code of the HTTP request to the page itself, but also any resources the page may fetch. This is particularly useful for SPAs, since they may return a 200 for the page itself, but an API call they make might return a non-200 when logged out.

This is covered in the documentation. You have to log back in, and Plus prompts you. Hence it's discouraged for sites that log you out a lot, like financial sites.

The most important page is a bit buried -- https://www.plusdocs.com/pricing

Free to use for now.

The idea is great, but what about security? When you get the user's cookie and session information (basically you're taking a snapshot of the browser and reproducing it at your end), you can do anything with it. What if someone uses it to take a screenshot of their bank account? (probably not possible due to two-factor authentication)

The landing page seems very focused on the “dashboard” use case for Plus, but the domain (plusdocs.com) sounds to me like it was originally intended to keep product screenshots in documentation updated. Was there a pivot? Is it still suitable for that use case?

Congrats on the launch!

Was it an intention to make the design similar to https://gumroad.com/? Or am I the only one seeing an uncanny resemblance?

(I'm a designer at Plus) It wasn't our intention to look specifically like Gumroad, but some of the visual patterns are definitely similar. This aesthetic is making the rounds right now: https://bootcamp.uxdesign.cc/the-neubrutalism-or-neo-brutali...

We were looking for something that felt approachable and fun, magical but not mysterious. After trying a bunch of different things, this is where we landed.

They look very different to me. Maybe a similar-ish color palette is what you're seeing?

I agree, looks a lot like Gumroad

Really interesting tool and not even quite sure how the technology works. It's opening it's own browser window (hidden) and capturing the same x/y pixels? Pretty clever.

Also, does anyone know what this new design trend is called? The bordered / minimal-but-not look?

It feels like a call back to 90s print, like the magazines I remember as a kid. 3-2-1 contact and the like.

I am really loving the design. So refreshing but also super-polished -- a great differentiator from the corporate Memphis dominating the landscape right now.

This looks really cool and clever. I do have a question about security though. The FAQ states:

> Today, we encrypt all sensitive data on your computer before it is sent to our servers, your data is encrypted in transit and at rest. Our employees do not have access to the private key to decrypt sensitive data.

I wonder how this works. I assume Plus works by storing the cookies present in the user's browser so that it can inject those cookies in a headless browser to take a Snapshot. In order to do that, it would need to decrypt the cookie (if it was encrypted in the first place, which the FAQ seems to suggest). For that, the headless process needs the encryption key. That would mean that employees can also access that encryption key.

What am I missing here?

I assume they mean by default, employees do not have access to the KMS key necessary to decrypt the sensitive data. (They mention using an individual KMS key per customer)

I suspect there must be a handful of SREs who, who could access it if they really wanted to - though that access would still be logged in cloudtrail.

You've got it right! The KMS keys used to encrypt sensitive data are generated per customer, and the majority of our engineering team cannot access any sensitive production data at all. In theory, it would only be the select team members with privileged access that could access it, but as you mentioned, it would be logged in CloudTrail. We also have GuardDuty enabled, and it would likely alert on anomalous activity.

Personally, I think we could do a better job explaining our security model in our FAQ. I'll bring it up with the team.

> Our employees do not have access to the private key to decrypt sensitive data.

So this is literally a lie?

I want to use something like this to automatically detect visual breakage after auto updates for WordPress, discourse etc. Is there such a product? Preferably Open source

Lots of our customers use https://VisualSitemaps.com just for that. It's great for also keeping track of Competitors/Markets, besides internal QA.

something like https://playwright.dev/ might fit your needs.

Specifically writing some tests with the "Visual comparisons" feature might work.


Nice. I've been thinking about going the more complicated route of building a screenshot pipeline for our docusaurus based docs. I am currently considering building something that would allow you to embed a ```playwright code block into your markdown, containing a playwright test with the expected output, and then at build time it would execute the tests and replace the code blocks with the images.

Anyone do something similar?

This is similar for Jupyter + Robot Framework + Selenium: https://marketsquare.github.io/robotframework-seleniumscreen...

This is actually how the FastComments docs works. I did it because I hate taking screenshots.


Any plans to actually scrape the data instead of just the images? Having the actual data saved in a tabular format would really make this a killer product... You could probably do this by finding the elements within your selection and parsing the rendered HTML.

Images are great but for doing anything more complex than just viewing charts scraping the data would be a huge plus

What’s your usecase? Can you define “more complex”?

Say I want to plug historical data into a predictive model?

Or a probably another common potential use-case... I want to create an alert if a value is above/below a certain threshold.

Yes. This is what we need too

The idea is really cool, but implementation seems hard to get right.

Apart from the security issues mentioned by others (related to storing user auth/session data), what happens if there's an update to the website/application where the screenshot is being taken from? Or if they add an announcement banner at the top, all content will be displaced.

I was thinking through similar scenarios. I think there will be tons of fringe cases that this won’t work well with, but for the core use cases (Google Analytics, Amplitude, etc.) it will work more predictably. An analytics tool should have minimal announcements, pop-ups, A/B tests, etc. This isn’t the right tool for perpetually updating screenshots of a specific region of CNN’s homepage.

For something enterprise scale, check out Tea Leaf. IBM ran the product for a while, I think now Acoustic has it. Many large F500 use this or other similar products:


This is not remotely close to "Plus"

As I have mentioned on other posts. Things like this need to be native apps, and not just a chrome extension or a web app. We need to get away from webapps for everything, and go back to native apps. Heck why do we have package tools then?

This is like doing integration the wrong way.

This is great. I've had to engineer this feature once before (updating an image status tag on Github issues), and was surprised it was so hard to find resources to solve that problem.

Reminds me of the WebClips feature from Safari that Apple killed

I was looking for something like this but for the Windows platform (not browser). The built-in snipping tool is great but I wanted a quicker way to take images. I tried looking up if right-click drag on the Windows desktop could be used to take a snap of the area (via some mouse-action binding). All I could find was that the action was bound to Windows Explorer copy/move semantics.

This product looks great, but I can’t get over how fresh the design of the landing page is. Great work

Insanely cool. Nice work to the team!

Awesome work! I think there should be a version that also refreshes screenshots of DOM elements specifically not just pixels - for example you might want to see how a thumbnail of a video changes over time from a rapidly changing page

Thank you! We actually do have the functionality you're mentioning. We call it "Smart capture": https://guide.plusdocs.com/snapshots-and-pages/snapshots/sit... Right now, we've only enabled it on sites where it works well, but we're hoping to bring it to more sites soon.

This could get pretty funny on days when the numbers go really badly lol

Sounds a lot like Simon Willison's open source project shot-scraper


This is pretty cool. It’s more or less a feature that is baked into the Arc browser, except in Arc you take snapshots of html elements instead of selecting an area of the screen.

Cool tool! Just a suggestion - building something like this for Zendesk (or any help center) would be an absolute game-changer!

This is so clever. Love it. Would love a version that just runs locally without sending things to the cloud.

The Arc browser has something like this with their Capture + Easels feature (example of this post: https://arc.net/e/A6D1FE0C-063A-4500-8D19-46581D16181E), and it supposedly does update.

Truth be told, I have no clue how the live-updating feature works when I share an Easel but it does capture the page as I see it

Edit: It does change on my local "Easel" almost instantly with my reply, but we'll see if that screenshot updates for others. A little experiment, I guess.

That's great and all but it seems one can not easily download the 'arc' browser.. Arc wants contact information to join a 'wait list'.. ?

what's an Easel?

It's their term for a board you can add shapes and captures of webpages to, and you can share it. Might be good for building a personal dashboard composed of multiple monitoring services


The nice thing about this approach, to my mind, is that it can turn interactive interfaces and make them "read-only". It also seems like a pretty safe way to send data from behind your firewall.

Stick an `opacity: 0` div in front of it to "disable" interactivity


Wait, I tried this, but there is now way to simply get a link to the image to use it in an IMG tag?

It also says that I am "logged out" for a screenshot on a landing page where there is no login needed: https://i.snipboard.io/5INswy.jpg

I was hoping this would autoupdate user documentation based on the latest version of my app.

I'm wondering if you can automatically extract image features using AI?

I created an iOS app for "self-updating" widgets [1] based on the same principle:

However with each version, Apple is killing the original, today's widget this app needs.

[1] https://wowidget.github.io/

Despite my comments, the tool looks VERY cool and useful.

I’ve long seen a need for this, brilliant.

This is sick! Thank you

So this is just URL or bookmark with a screenshot as a thumbnail.

A word of warning: The video is LOUD and has no mute button or volume slider.

A video with no volume slider, really?

Applications are open for YC Winter 2024

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact