Bug Makes Windows 11 Snipping Tool Images Recoverable After Editing

vulnerability
(Image credit: Shutterstock)

If you’ve been sharing screenshots that were cropped or edited with the Snipping Tool in Windows 11, your privacy may be at risk. 

It looks like Windows’ built-in screenshot editing tools are also part of “aCropalypse” — a recently-discovered security flaw in Google Pixel’s Markup image editing tool that allows for the partial recovery of original images from cropped or edited versions. 

The original vulnerability was discovered by security researchers Simon Aarons and David Buchanan and reported to Google in January 2023. Google issued a fix for the Pixel 4A, 5A, 7 and 7 Pro in its March 2023 security patch

However, because the vulnerability existed for five years before it was discovered, cropped/edited images shared within the last five years are potentially at risk, depending on the platform they were shared to. 

According to a FAQ page (unavailable at the time of this writing) shared with 9to5Google, the vulnerability existed because Markup saves edited image files in the same location as the original file, without first erasing the original file. If the edited file is smaller than the original file, a trailing portion of the original file remains in the save location, and that part of the original file is recoverable using a reverse-engineered exploit. The full technical details of the vulnerability and exploit are detailed on Buchanan’s blog, and the researchers have also created a demo tool for recovering affected Pixel photos. 

But it looks like the Google team isn’t the only team to have missed this vulnerability in their code, because Windows 11’s Snipping Tool and Windows 10’s Snip & Sketch (but not Windows 10’s Snipping Tool) appear to have the same vulnerability — despite being, as Buchanan points out, part of an entirely unrelated codebase. Buchanan tested a modified version of the exploit on Windows 11 and was able to recover most of the original image: 

partially recovered image from snipping tool

(Image credit: David Buchanan/Twitter)

Needless to say, this is not great, considering people typically crop and edit images to protect information, identities, etc. And while some platforms, such as Twitter, strip images of that trailing data when they’re uploaded, others, such as Discord, do not (or, well, did not until an update on January 17, 2023).

example of google pixel markup security flaw

(Image credit: Simon Aarons/Twitter)

Aarons demonstrated the original flaw with a cropped image of a credit card with its number blacked out that was uploaded to Discord. Using the exploit on the downloaded image managed to recover about 80% of the original image, including the “redacted” numbers.

Buchanan says that Snipping Tool version 11.2302.20.0, which is not currently available to regular users but can be manually installed, appears to fix the problem. But at this point I’m not sure I’d trust any built-in screenshot editing tools (not that I ever did, once I realized Apple’s Markup tool has an undo feature) — better to just crop using a third-party tool.

Sarah Jacobsson Purewal
Senior Editor, Peripherals

Sarah Jacobsson Purewal is a senior editor at Tom's Hardware covering peripherals, software, and custom builds. You can find more of her work in PCWorld, Macworld, TechHive, CNET, Gizmodo, Tom's Guide, PC Gamer, Men's Health, Men's Fitness, SHAPE, Cosmopolitan, and just about everywhere else.

  • Alvar "Miles" Udell
    Used Irfanview since the mid 90s for all my image editing needs. With the intro of the snipping tool it's easy enough to save the screenshot as a PNG (automatic on Windows 11 unless disabled), then edit and save as a JPEG in Irfanview.
    Reply
  • digitalgriffin
    This is due to something called "Layers" JPG has the same issue. It's been around for years.

    You see, every time you resave a lossy image, it gets more and more "Lossy" To keep the original image and not lose quality, the file standard applies layers on top, so the original image does not have to recompressed. I believe PNG's do this also if a different way. This is what the snipping tool does.

    Unfortunately 99.9% of the public don't know this. There are TWO ways to solve this problem:

    Open photo shop, and select "Layers->Flatten" It will force all the layers into one, destroying the original image. You'll get a slight image quality loss
    Copy paste into MS Paint. Save as a .BMP. (Forces layers to collapse) Reopen, and resave as a .JPG.
    Reply
  • DotNetMaster777
    Good work done by Security researchers ! ! ! !
    Reply