A bug in the Windows 11 Snipping Tool or Windows 10 Snip and Sketch could let people read info that had been cropped from an image. Microsoft has released an emergency update to fix the bug.
Because it involves ‘cropping’ an image, the bug has been called ‘Acropalypse’.
Taking screenshots, your guide for Windows, Mac, iPhone, iPad and more
Secrets still left in docs after Document Inspector in Office
Image privacy breach still in Microsoft Office
What’s the problem?
When you crop an image, the cropped parts aren’t always removed from the saved image. Instead, the parts you think are deleted are saved at the end of the file. A hacker could get any private information that you thought were deleted.
As usual, Microsoft tries to downplay the problem, classifying it as low severity. They say:
“The severity of this vulnerability is Low because successful exploitation requires uncommon user interaction and several factors outside of an attacker’s control.
For an image to be subject to this issue, a user must have created it under specific conditions:
- The user must take a screenshot, save it to a file, modify the file (for example, crop it), and then save the modified file to the same location.
- The user must open an image in Snipping Tool, modify the file (for example, crop it), and then save the modified file to the same location.
Common use cases like copying the image from Snipping Tool or modifying it before saving it are not affected.”
Source: Microsoft, Windows Snipping Tool Information Disclosure Vulnerability
We disagree that these are ‘uncommon’ situations. Taking a screenshot, modifying it then saving to the same location is, in Microsoft speak, a common ‘use case’.
Cropped images also not deleted in Office
A timely reminder that when you crop a picture in Office, the cropped parts are kept in the document until they are specifically deleted see Image privacy breach still in Microsoft Office
Windows 11 and Windows 10
The bug applies to both Windows 11 and Windows 10 in their screenshot editing tools.
- Snip and Sketch – Windows 10, version 10.2008.3001.0 and later are OK
- Snipping Tool – Windows 11, version 11.2302.20.0 and later are OK
Google has a similar bug in their Markup Tool on Pixel phones.
How to update
The normal Windows Update process doesn’t work in this case because they are handled as separate apps (even though they are installed with Windows).
The good news – chances are that the app has already been updated, but it doesn’t hurt to check.
Go to the Microsoft Store | Library then click ‘Get updates’ to force an update for all installed apps.
If you want to check, choose the app (Snipping Tool or Snip and Sketch) and scroll down to the tiny mention of ‘Installed version’.
Taking screenshots, your guide for Windows, Mac, iPhone, iPad and more
Secrets still left in docs after Document Inspector in Office
Image privacy breach still in Microsoft Office