Windows 11 Snipping Tool Exposes Cropped Parts of Images

The vulnerability, also discovered on some Google Pixel phones, has been dubbed "the Acropalypse" by security researchers.

Security researchers have discovered that the Windows 11 snipping tool doesn’t actually delete the parts of the image users choose cut out, allowing anyone in possession of a cropped picture to partially recover the full, uncropped version.

The news broke just hours after it was revealed that Google Pixel phones have had the same, severe vulnerability present for over five years.

While tools like VPNs help users claw back a modicum of privacy in their online lives, stories like this provide a sobering reminder of the importance of discovering and patching vulnerabilities baked into the features and functions of the operating systems we use.

Windows Snipping Tool Exposes Users

This week, security researchers have shown that Windows 11 tools for screenshotting and cropping images retain a lot of the original image data, allowing any recipient of such a photo to regenerate significant portions of the initial image.

Instead of simply deleting or removing the parts of the image a given user has cropped, Windows just leaves the unused data behind – which explains why images cropped with the Window snipping tool often appear to be the same size as uncropped originals.

Vulnerabilities researcher Will Doormann shows how you can confirm this on Twitter:

PNG file signatures always finish with an “IEND” chunk at the end – data appearing after this is ignored by image viewers displaying the image. However, unused data that corresponds to cropped parts of images remains attached, allowing anyone with a Hex editor to recover it.

Cropping with a Google Pixel – and in Google Docs – is Also Risky

Worryingly, this news comes shortly after a similar flaw was revealed in Google Pixel Phones, which has been exploitable for around five years. In theory, any cropped image sent in that time period could be partially reset.

However, Google was made aware of the vulnerability in January 2023, and a patch was rolled out on March 13.

This isn’t the only time that this sort of vulnerability has cropped up in recent months. Last month, whistleblowers were warned that there are multiple ways to uncover the original version of a cropped image within Google Docs.

Even if a user doesn’t have edit permission, pressing copy on the image and then pasting it into another Google Doc will allow anyone to reset the image to its original size.

The Acropalypse: A Dark Day for User Privacy

Now that we know this genre of vulnerability affects multiple cropping tools, it makes you wonder what other image-capturing features also suffer from a similar flaw.

We’d strongly advise against cropping and sending images containing sensitive information in Windows 11 until this issue is fully resolved and Microsoft can conclusively show that the original image data isn’t being transferred along with cropped images in their respective programs.

Aside from this, there’s very little you can do, other than ensure your systems are updated with the latest security patches.

Of course, vulnerabilities like this aren’t the only threat to your privacy you may run into while using your phone or computer – and unlike the issue at hand, there are things you can do to mitigate many of them.

A VPN, for instance, will significantly enhance your privacy while you use the internet – and unlike Windows snipping tool, it won’t actually leak your data. So make sure you’re staying up to date with the latest vulnerabilities and data breaches, while investing in software that will actually protect you.

Did you find this article helpful? Click on one of the following buttons
We're so happy you liked! Get more delivered to your inbox just like it.

We're sorry this article didn't help you today – we welcome feedback, so if there's any way you feel we could improve our content, please email us at contact@tech.co

Written by:
Aaron Drapkin is Tech.co's Content Manager. He has been researching and writing about technology, politics, and society in print and online publications since graduating with a Philosophy degree from the University of Bristol six years ago. Aaron's focus areas include VPNs, cybersecurity, AI and project management software. He has been quoted in the Daily Mirror, Daily Express, The Daily Mail, Computer Weekly, Cybernews, Lifewire, HR News and the Silicon Republic speaking on various privacy and cybersecurity issues, and has articles published in Wired, Vice, Metro, ProPrivacy, The Week, and Politics.co.uk covering a wide range of topics.
Explore More See all news
Back to top
close Thinking about your online privacy? NordVPN is Tech.co's top-rated VPN service See Deals