If you’ve been using a Windows 11 cropping tool, you’re going to want to watch out for a recently discovered bug that analysts say poses a serious privacy problem.
Microsoft’s Snipping Tool allows users to easily edit and crop screenshots but, according to recent research, the tool has a software flaw that allows a hacker to partially retrieve the unedited, original versions of those images. While the tool is supposed to overwrite the data involved in the truncated imagery… it’s not doing that. Instead, Snipping Tool retains the data, which, through a simple coding script, can be used to reproduce the parts of the image that were meant to have been deleted.
Dubbed “acropalypse,” the bug was recently discovered by two security researchers, David Buchanon and Simon Aarons, who initially found that it impacted a different cropping tool — the Google Pixel’s Markup Tool. In that case, Buchanon and Aarons discovered that they could recover pictures that had been edited with Markup. Today, another researcher, Chris Blume, discovered that the same bug also affects Microsoft Snipping.
The concern here is that whoever is able to exploit this bug could be able to recover potentially sensitive information from the impacted images. So, I suppose, if you’ve been using Microsoft’s snipper to edit imagery of secret documents, financial information, or your nudes, you should probably be concerned about this. In a blog post, Buchanon writes about how he was testing the recovery methods on his own Pixel Markup-edited images and slowly realised just how much invasive potential this software flaw had:
The worst instance was when I posted a cropped screenshot of an eBay order confirmation email, showing the product I’d just bought. Through the exploit, I was able to un-crop that screenshot, revealing my full postal address (which was also present in the email). That’s pretty bad!
The actual technical details of how the leftover data can be processed to spur image recovery are a bit complicated, though Bleeping Computer notes that, in the case of Microsoft’s Snipper, researchers managed it with a simple Python script. In the case of the Pixel, meanwhile, researchers have actually launched a dedicated page where you can test whether your cropped PNG images are recoverable. That portal doesn’t seem to have been very difficult to spin up, considering that the bug was only discovered a couple weeks ago and was only made public a matter of days ago.
Gizmodo reached out to Microsoft for comment on the security issue and will update this story if anyone responds.