Windows users, your cropped images may not be private
Have you heard about the recent discovery made by researchers regarding the Pixel's cropping tool? They found out that the tool did not fully remove the data that was deleted and that the deleted portions of the image could still be accessed with some effort.
Now, one of the same researchers has reported that the Snipping Tool for Windows 11 and the Snip & Sketch tool in Windows 10 have a similar vulnerability. This means that the information that users thought they had deleted may still be available on the internet, potentially causing privacy concerns.
David Buchanan, a researcher, has revealed via a tweet that the vulnerability in Microsoft's Snipping Tool can be exploited by taking a screenshot, saving it, cropping it, and saving it again to the same file. This process may leave the deleted data accessible within the file. As per Buchanan, one can use a similar code to the one used for accessing Pixel screenshots to retrieve the data, with minor modifications.
holy FUCK.
Windows Snipping Tool is vulnerable to Acropalypse too.
An entirely unrelated codebase.
The same exploit script works with minor changes (the pixel format is RGBA not RGB)
Tested myself on Windows 11 https://t.co/5q2vb6jWOn pic.twitter.com/ovJKPr0x5Y
— David Buchanan (@David3141593) March 21, 2023
It seems that the vulnerability in Microsoft's Snipping Tool is not very widespread. According to Buchanan, the exploit requires a specific sequence of actions involving saving, cropping, and saving again. Therefore, if the initial screenshot only includes a particular part of the screen, the exploit may not work. Although the Snip & Sketch tool in Windows 10 reportedly has the same vulnerability, Buchanan claims that the original Snipping Tool for Windows 10 does not have this issue.
Recently, Buchanan and fellow researcher Simon Aarons had warned about the "acropalypse" vulnerability affecting Pixels, emphasizing that even if this issue gets fixed, the problem does not go away entirely. The images created using the tool might still exist, and the portions that were intended to be cropped out may remain unaltered, leading to privacy concerns.
Introducing acropalypse: a serious privacy vulnerability in the Google Pixel's inbuilt screenshot editing tool, Markup, enabling partial recovery of the original, unedited image data of a cropped and/or redacted screenshot. Huge thanks to @David3141593 for his help throughout! pic.twitter.com/BXNQomnHbr
— Simon Aarons (@ItsSimonTime) March 17, 2023
Following the announcement of the "acropalypse" vulnerability, there has been an increased interest in examining other screenshotting tools. Chris Blume, who chairs the working group for the PNG image format that Snipping Tool uses, drew attention to the issue by tweeting that Snipping Tool may not truncate files accurately when overwriting existing images. Blume's tweet was instrumental in Buchanan's discovery of the vulnerability in Snipping Tool.
I've got a fun one for you all to look at.
I opened a 198 byte PNG with Microsoft's Snipping Tool, chose "Save As" to overwrite a different PNG file (no editing), and saves a 4,762 byte file with all that extra after the PNG IEND chunk.
Sounds similar :D
— Chris Blume (@ProgramMax) March 21, 2023
Microsoft is investigating the issue
"We are aware of these reports and are investigating. We will take action as needed to help keep customers protected." – Jeff Jones, Sr Director, Microsoft
The recent discovery of vulnerabilities in screenshotting tools such as Microsoft's Snipping Tool has once again highlighted the ongoing challenge of maintaining data security in our increasingly digital world. The fact that these tools did not fully remove deleted data indicates the need for increased scrutiny of technology to ensure user privacy.
The warning about the "acropalypse" vulnerability affecting Pixels is a reminder that even seemingly minor issues can have far-reaching consequences. As we continue to rely more and more on technology, it is imperative that we prioritize data security to safeguard sensitive information and ensure that our digital footprints remain protected.
Advertisement
When there is a guide, error, solution that is applicable to many different Windows (7, 8, 10, 11) the authors often wrongly write “for/on Windows 10/11”, but the one time there is a bug specifically with Windows 10/11, they use the generic “Windows” term.
it’s funny but certain bits of software such a mspaint, snipping tool, notepad, calculator, haven’t needed any updating or improving since at least 2009 – yet MS will change things for the sake of changing them, and cause vulnerabilities. Clowns
Could you please be more specific?
Which “file version”?
I am still using an older version of snipping tool from 2017 because, privacy.
Microsoft has often ‘updated’ it against my wishes. I just do the permissions dance and put the old one back.
Latest one available at MS Store.
I wasn’t talking about your comment’s language, which I didn’t even notice. It was the capitalised standalone paragraph in the tweet — within the article itself, and therefore editorial policy of ghacks.
It’s a tricky matter, but that remark was over the top offensive for me. Different countries and communities, different attitudes.
I haven’t seen bad use of language in the article neither. However subjective considerations should be mainly free to be spoken about in these articles so forth. Unless they were against the international woke agenda, of course ;).
What exactly is “bad language” or “offensive”? Can you point me to it?
Could we please have no more bad language on this website. It is quite unpleasant and confronting.
Blasphemy combined with obscenity is about as bad as it gets.
Are you ok, dude?
W11 latest update to the its Snipping Tool has been a complete disaster of desing, the buttons to edit the image has been placed at the bottom of the screen and it collapses behind the ridiculous big taskbar that it’s at the bottom too! Don’t you have any ergonomics psychologyst to say you all that your UI designs are just unuseful crap! Damm it! Thanks for the article by the way.