A serious privacy vulnerability known as 'acropalypse' has also been discovered in the Windows Snipping Tool, enabling people to partially restore content that was photoshopped out of an image.
Security researchers David Buchanan and Simon Aarons discovered last week that a bug in Google Pixel's Markup Tool caused the original image data to be retained even when it was edited or cropped out.
This flaw poses a significant privacy risk because it may be possible to partially recover the original photo if a user shares a picture, such as a credit card with a redacted number or revealing photos with the face removed.
To demonstrate the bug, the researchers created an online acropalypse screenshot recovery tool that attempted to recover edited images created on Google Pixel.
The Windows 11 Snipping Tool was also affected
Today, Chris Blume, a software engineer, confirmed that the 'acropalypse' privacy flaw also affects the Windows 11 Snipping Tool. Instead of truncating any unused data when opening a file in the Windows 11 Snipping Tool and overwriting an existing file, it leaves the unused data behind, allowing it to be partially recovered.
Will Dormann, a vulnerability expert, also confirmed the Windows 11 Snipping Tool flaw, and BleepingComputer confirmed the issue with Dormann's assistance. To put this to the test, Bleeping Computer opened an existing PNG file in Windows 11 Snipping Tool, cropped it (you can also edit or mark it up), and saved the changes to the original file.
While the cropped image comprises far less data than the original, the file sizes for the original image (office-screenshot-original.png) and cropped image (office-screenshot.png) are identical. According to the PNG file specification, a PNG image file must always end with a 'IEND' data chunk, with any data added after that being ignored by image editors and viewers.
However, when used the Windows 11 Snipping Tool to overwrite the original image with the cropped version, the programme did not properly truncate the unused data, and it is still present after the IEND data chunk.
When you open the file in an image viewer, you'll only see the cropped image because anything after the first IEND is ignored. This untruncated data, on the other hand, can be used to partially recreate the original image, potentially revealing sensitive portions.
While the researcher's online acropalypse screenshot recovery app does not currently support Windows files, Buchanan did share with BleepingComputer a Python script that can be used to recover Windows files.
BleepingComputer successfully recovered a portion of the image using this script. This was not a complete recovery of the original image, which may leave you wondering why this poses a privacy risk.
Consider taking a screenshot of a sensitive spreadsheet, confidential documents, or even a naked picture and cropping out sensitive information or portions of the image. Even if you are unable to fully recover the original image, someone may be able to recover sensitive information that you do not want made public. It should also be noted that this flaw does not affect all PNG files, such as optimised PNGs.
"Your original PNG was saved with a single zlib block (common for "optimised" PNGs) but actual screenshots are saved with multiple zlib blocks (which my exploit requires)," Buchanan explained to BleepingComputer.
BleepingComputer also discovered that if you open an untruncated PNG file in an image editor, such as Photoshop, and save it to another file, the unused data at the end is stripped away, rendering it unrecoverable.
Finally, the Windows 11 Snipping Tool behaves similarly to the above with JPG files, leaving data untruncated if overwritten. However, Buchanan told BleepingComputer that his exploit does not currently work on JPGs but that it might in the future. Microsoft confirmed to BleepingComputer that they are aware of the reports and are investigating them.
"We are aware of these reports and are investigating. We will take action as needed to help keep customers protected," a Microsoft spokesperson told BleepingComputer.