Security researchers have discovered that the Windows 11 snipping tool doesn’t actually delete the parts of the image users choose cut out, allowing anyone in possession of a cropped picture to partially recover the full, uncropped version.
The news broke just hours after it was revealed that Google Pixel phones have had the same, severe vulnerability present for over five years.
While tools like VPNs help users claw back a modicum of privacy in their online lives, stories like this provide a sobering reminder of the importance of discovering and patching vulnerabilities baked into the features and functions of the operating systems we use.
Windows Snipping Tool Exposes Users
This week, security researchers have shown that Windows 11 tools for screenshotting and cropping images retain a lot of the original image data, allowing any recipient of such a photo to regenerate significant portions of the initial image.
Instead of simply deleting or removing the parts of the image a given user has cropped, Windows just leaves the unused data behind – which explains why images cropped with the Window snipping tool often appear to be the same size as uncropped originals.
Vulnerabilities researcher Will Doormann shows how you can confirm this on Twitter:
1. Copy an image (to have a backup)
2. Open one with Snipping tool
3. Crop it to make it much smaller
4. Click the Save icon
5. Compare file sizes of cropped and original
6. Wonder about the world that you live in https://t.co/2V3totEqw6 pic.twitter.com/g19MTxlzN1
— Will Dormann (@wdormann) March 21, 2023
PNG file signatures always finish with an “IEND” chunk at the end – data appearing after this is ignored by image viewers displaying the image. However, unused data that corresponds to cropped parts of images remains attached, allowing anyone with a Hex editor to recover it.
Cropping with a Google Pixel – and in Google Docs – is Also Risky
Worryingly, this news comes shortly after a similar flaw was revealed in Google Pixel Phones, which has been exploitable for around five years. In theory, any cropped image sent in that time period could be partially reset.
However, Google was made aware of the vulnerability in January 2023, and a patch was rolled out on March 13.
This isn't the only time that this sort of vulnerability has cropped up in recent months. Last month, whistleblowers were warned that there are multiple ways to uncover the original version of a cropped image within Google Docs.
Even if a user doesn't have edit permission, pressing copy on the image and then pasting it into another Google Doc will allow anyone to reset the image to its original size.
The Acropalypse: A Dark Day for User Privacy
Now that we know this genre of vulnerability affects multiple cropping tools, it makes you wonder what other image-capturing features also suffer from a similar flaw.
We’d strongly advise against cropping and sending images containing sensitive information in Windows 11 until this issue is fully resolved and Microsoft can conclusively show that the original image data isn’t being transferred along with cropped images in their respective programs.
Aside from this, there’s very little you can do, other than ensure your systems are updated with the latest security patches.
Of course, vulnerabilities like this aren’t the only threat to your privacy you may run into while using your phone or computer – and unlike the issue at hand, there are things you can do to mitigate many of them.
A VPN, for instance, will significantly enhance your privacy while you use the internet – and unlike Windows snipping tool, it won’t actually leak your data. So make sure you're staying up to date with the latest vulnerabilities and data breaches, while investing in software that will actually protect you.