Microsoft investigating reports of ‘aCropalypse’ image-crop vulnerability in Windows

Microsoft is examining reports of whether a vulnerability allowing someone to recover the cropped or redacted parts of Google Pixel screenshots also affects tools within Windows.

On Friday, cybersecurity researchers Simon Aarons and David Buchanan reported on a vulnerability in the Pixel's inbuilt screenshot editing tool, Markup, that allowed anyone to partially recover the original unedited image data of a cropped and/or redacted screenshot.

They even created a website where people can upload a screenshot and potentially see the original version.

On Tuesday, Buchanan revealed on Twitter that the issue — tracked as CVE-2023-21036 — also affects the Windows Snipping Tool. The same exploit script works with minor changes according to Buchanan, who tested it on Windows 11. Cybersecurity expert Will Dormann confirmed that the issue appears on Windows 11 and also the Snip & Sketch tool on Windows 10.

"We are aware of these reports and are investigating,” a Microsoft spokesperson told The Record when asked about the issue. “We will take action as needed to help keep customers protected."

The main concern is for images that include intentionally redacted aspects like license plates or credit card numbers.

Buchanan and Aarons originally informed Google of the vulnerability in January and the tech giant fixed the issue in a patch released on March 6.

The issue revolves around a built-in screenshot editor called "Markup" that was added to Pixel devices in 2018.

Any Pixel user who takes a screenshot is immediately hit with a pop-up that asks whether you would like to edit the screenshot.

The researchers explained that on a basic level, when you crop and save a screenshot, the device overwrites the image with the new version but leaves the rest of the original file in its place.

“So if you were to take a screenshot of an app which shows your address on screen, then crop it, if you could recover the information somehow that's a big deal,” Buchanan explained in a blog.

He created a proof-of-concept exploit for the bug and tested it out on some of his own cropped screenshots that he had shared on Discord.

“The worst instance was when I posted a cropped screenshot of an eBay order confirmation email, showing the product I’d just bought. Through the exploit, I was able to un-crop that screenshot, revealing my full postal address (which was also present in the email). That’s pretty bad!” he said.

Unfortunately for Pixel users, the patch will have no effect on edited screenshots that have already been shared since 2018. Some platforms, like Twitter, delete all hidden data in photos uploaded to their site but others, as Buchanan found with Discord, post the original file.