The Windows 11 cropping tool shares a Google Pixel security flaw

A glitched screenshot taken with Windows 11, run through the Acropalypse exploit script.
(Image credit: Twitter / David Buchanan)

Fresh off the back of Google Pixel’s Markup tool being found to have retained image data even when edited out, software engineer Chris Blume has found a similar bug in the Windows 11 Snipping Tool.

Dubbed “acropalypse”, the phenomenon works when an existing file is overwritten with edits, such as crops. Rather than omitting the cropped data, the image file retains it, potentially allowing it to be recovered and used in an identity theft attack.

Per BleepingComputer, the researchers who discovered the original Google Pixel flaw, David Buchanan and Simon Aarons, have launched a tool demonstrating that this is possible, although we should probably stress that you should only use it for testing purposes.

Acropalypse on Windows 11

The Windows rendition of the bug, which also applies to Windows 10’s Snip and Sketch tool, has been corroborated by vulnerability expert Will Dormann and BleepingComputer in testing, but it’s also easily verifiable by anyone.

In Snipping Tool, once you’ve take a screenshot, cropped it, and saved it as a copy of the original, compare the file sizes. With any (bad) luck, they’re the same.

And, as you can notice by opening one in a text editor, PNG files generally require that all files end with an “IEND” data chunk, but Snipping Tool fails to both remove the data, and presents it after the chunk.

That Google Pixel and Windows are both susceptible to a highly similar bug with the potential to do quite a bit of harm should be concerning given that, as Buchanan noted in a profane tweet on Tuesday, the Markup and Snipping tools are two “entirely unrelated” codebases.

TOPICS
Luke Hughes
Staff Writer

 Luke Hughes holds the role of Staff Writer at TechRadar Pro, producing news, features and deals content across topics ranging from computing to cloud services, cybersecurity, data privacy and business software.