Researchers recently announced the ‘acropalypse’ vulnerability in the Pixel’s screenshot tools, but it seems like Google wasn’t the only company to make this mistake.
You know how researchers recently discovered that the Pixel’s built-in cropping tool didn’t actually get rid of the data you removed and that a little digging let you see the parts of the image that had been supposedly cut out? One of those researchers is now reporting that Microsoft’s Snipping Tool for Windows 11 as well as the Snip & Sketch tool in Windows 10 have a very similar exploit, which could mean that information people thought they’d gotten rid of is now floating around on the internet.
According to a tweet from David Buchanan, if you take a screenshot with the tool, press the save button, and then crop it and save it to the same file, the data may still be available in the file. Buchanan says you can even use pretty much the same code that let you see the rest of a Pixel screenshot to get at that data as long as you make some “minor changes.”
The vulnerability does appear to be somewhat limited in scope — Buchanan says that the exploit “requires save-crop-save,” implying that you’ll be fine if your initial screenshot only included a specific section of the screen. And while Windows 10’s Snip & Sketch tool allegedly has the same issue, Buchanan says the original Snipping Tool for Windows 10 doesn’t.
Last week, Buchanan and researcher Simon Aarons sounded the alarm about the “acropalypse” vulnerability for Pixels, pointing out that even a fix for this type of issue doesn’t make it go away. The images you made using the tool could still be out there, with the things you wanted to crop out potentially intact.
It appears that announcement spurred people to look into other screenshotting tools. Chris Blume, who chairs the working group for the PNG image format that Snipping Tool uses, helped tip Buchanan off to the issue by tweeting that Snipping Tool seems to not truncate files correctly when overwriting existing images.
Microsoft didn’t immediately respond to The Verge’s request for comment about the issue.