If you’ve been sharing screenshots that were cropped or edited with the Snipping Tool in Windows 11, your privacy may be at risk.
It looks like Windows’ built-in screenshot editing tools are also part of “aCropalypse” — a recently-discovered security flaw in Google Pixel’s Markup image editing tool that allows for the partial recovery of original images from cropped or edited versions.
The original vulnerability was discovered by security researchers Simon Aarons and David Buchanan and reported to Google in January 2023. Google issued a fix for the Pixel 4A, 5A, 7 and 7 Pro in its March 2023 security patch.
However, because the vulnerability existed for five years before it was discovered, cropped/edited images shared within the last five years are potentially at risk, depending on the platform they were shared to.
According to a FAQ page (unavailable at the time of this writing) shared with 9to5Google, the vulnerability existed because Markup saves edited image files in the same location as the original file, without first erasing the original file. If the edited file is smaller than the original file, a trailing portion of the original file remains in the save location, and that part of the original file is recoverable using a reverse-engineered exploit. The full technical details of the vulnerability and exploit are detailed on Buchanan’s blog, and the researchers have also created a demo tool for recovering affected Pixel photos.
But it looks like the Google team isn’t the only team to have missed this vulnerability in their code, because Windows 11’s Snipping Tool and Windows 10’s Snip & Sketch (but not Windows 10’s Snipping Tool) appear to have the same vulnerability — despite being, as Buchanan points out, part of an entirely unrelated codebase. Buchanan tested a modified version of the exploit on Windows 11 and was able to recover most of the original image:
Needless to say, this is not great, considering people typically crop and edit images to protect information, identities, etc. And while some platforms, such as Twitter, strip images of that trailing data when they’re uploaded, others, such as Discord, do not (or, well, did not until an update on January 17, 2023).
Aarons demonstrated the original flaw with a cropped image of a credit card with its number blacked out that was uploaded to Discord. Using the exploit on the downloaded image managed to recover about 80% of the original image, including the “redacted” numbers.
Buchanan says that Snipping Tool version 11.2302.20.0, which is not currently available to regular users but can be manually installed, appears to fix the problem. But at this point I’m not sure I’d trust any built-in screenshot editing tools (not that I ever did, once I realized Apple’s Markup tool has an undo feature) — better to just crop using a third-party tool.