When you capture a screenshot and crop out sensitive information, it’s still possible to recover a portion of the image that was supposedly removed in some circumstances.
This isn’t the first time redacted documents have turned out to have left hidden data intact and readable with the right tools and knowledge. A recent bug in Google’s Markup tool for the Pixel phone, humorously dubbed the “Acropalypse,” shows this issue might be surprisingly common.
In a comment on the tweet about the Pixel bug, Chris Blume shared a similar discovery about the Windows Snipping Tool. A PNG image that requires 198 bytes grows to a much larger 4.7kB file when saved over an existing image. When saved as a new file, it increases by only 56 bytes, probably adding some metadata.
https://twitter.com/ProgramMax/status/1638217206180741121
The implication is that Windows Snipping Tool overwrites files without reallocating storage. Instead, the new image data overwrites the existing file, followed by an end-of-file marker, and the rest of the old content remains.
While this might not sound like a common occurrence, consider the scenario Bleeping Computer described. You take a screenshot with the Windows Snipping Tool and save it. Realizing some sensitive data is visible, you crop it out and save over the original file.
In a Windows File Explorer preview pane and the Photos app, it looks like the crop is successful. In truth, the file size will be the same as that of the uncropped version, and parts of the old image are still there.
It isn’t easy to see the old data, but not that hard if you are looking for it and have some developer tools or a specialized app made to take advantage of this vulnerability.
Microsoft is aware of the issue and is currently investigating. In the meantime, you can protect yourself by cropping with the Photos app or other Windows photo editor. You can keep using the Snipping Tool safely if you save cropped screenshots as new files instead of overwriting existing data.
