Redaction privacy flaw exposes masked image content
A critical privacy flaw named 'Acropalypse' has also been found to affect the Windows Snipping Tool, allowing people to partially recover content that was edited out of an image.
Last week, security researchers David Buchanan and Simon Aarons discovered that a bug in Google Pixel's Markup Tool caused the original image data to be retained even if it was edited or cropped out.
This flaw poses a critical privacy concern as if a user shares a picture, such as a credit card with a redacted (more accurately masked) number or revealing photos with the face removed, it may be possible to partially recover the original photo. Researchers recreated the flaw and launched an online Acropalypse screenshot recovery utility that would attempt to recover edited images created on Google Pixel.
Windows 11 Snipping tool affected too
Software engineer Chris Blume confirmed that the ‘Acropalypse’ privacy flaw also affects the Windows 11 Snipping Tool.
When opening a file in the Windows 11 Snipping Tool and overwriting an existing file, instead of truncating any unused data, it leaves the unused data behind, allowing it to be partially recovered.
Vulnerability expert Will Dormann also confirmed the Windows 11 Snipping Tool flaw, and with Dormann's help, BleepingComputer confirmed the issue as well. To test this, we opened an existing PNG file in the Windows 11 Snipping Tool, cropped it (can also edit or mark it up), and then saved the changes to the original file. The original and cropped images are illustrated below.
The original image is on the left. The cropped image on the right. Source: BleepingComputer
While the cropped image now contains far less data than the original one, the file sizes for the original image file (office-screenshot-original.png) and cropped image file (office-screenshot.png) are the same, as seen below.
Original and cropped images have the same file size. Source: BleepingComputer
The PNG file specification requires that a PNG image file always ends with an 'IEND' data chunk, with any data added after it being ignored by image editors and viewers. For example, below is the original screenshot that I took of Microsoft's site. As you can see, the file ends with an IEND and contains no data after it.
END chunk at the end of the original PNG image. Source: BleepingComputer
However, using the Windows 11 Snipping Tool to overwrite the original image with the cropped version, the program did not correctly truncate the unused data, and it remains after the IEND data chunk.
Untruncated data after the IEND data chunk. Source: BleepingComputer
Opening the file in an image viewer just displays the cropped image, as anything after the first IEND is ignored.
However, this untruncated data can be used to partially recreate the original image, potentially allowing sensitive portions to be revealed.
While the researcher's online Acropalypse screenshot recovery app does not currently work with Windows files, Buchanan shared a Python script with BleepingComputer that can be used to recover Windows files. Using this script, BleepingComputer successfully recovered a portion of the image, as shown below.
This was not a complete recovery of the original image, and you may be wondering why this is a privacy risk.
Imagine that you took a screenshot of a sensitive spreadsheet, confidential documents, or even a nude picture, and cropped out sensitive information or parts of the image.
Even if you can't fully recover the original image, someone could recover sensitive information you would not want to go public.
It should also be noted that not all PNG files, such as optimized PNGs, are affected by this flaw.
"Your original PNG was saved with a single zlib block (common for "optimized" PNGs) but actual screenshots are saved with multiple zlib blocks (which my exploit requires)," Buchanan explained to BleepingComputer. BleepingComputer also found that if you open an untruncated PNG file in an image editor, such as Photoshop, and save it to another file, the unused data at the end will be stripped off, making it no longer recoverable.
Finally, the Windows 11 Snipping Tool also performs the same behavior with JPG files, leaving data untruncated if overwritten. However, Buchanan told BleepingComputer that his exploit does not currently work on JPGs, but could be possible.
Microsoft told BleepingComputer that they are aware of the reports and are looking into them.
"We are aware of these reports and are investigating. We will take action as needed to help keep customers protected," a Microsoft spokesperson told BleepingComputer.
Related Article:
Google Pixel flaw allowed recovery of redacted, cropped images