Security researchers confirm Microsoft patch fixes ‘aCropalypse’ bug

The researchers who recently discovered a novel Windows vulnerability that could allow cropped screenshots to be restored say the bug has been fixed.

Last week, cybersecurity researchers Simon Aarons and David Buchanan reported on the ‘aCropalypse’ vulnerability in Pixel's inbuilt screenshot editing tool, Markup, that allowed anyone to partially recover the original unedited image data of a cropped or redacted screenshot.

They even created a website where people can upload a screenshot and potentially see the original version.

Buchanan later revealed on Twitter that the issue — tracked as CVE-2023-21036 — also affected the Windows Snipping Tool. The same exploit script works with minor changes according to Buchanan, who tested it on Windows 11. Cybersecurity expert Will Dormann confirmed that the issue appeared on Windows 11 and also the Snip & Sketch tool on Windows 10.

Microsoft initially told The Record it was investigating the issue and a spokesperson later confirmed that the vulnerability has been fixed.

“We have released a security update for these tools via CVE-2023-28303. We recommend customers apply the update,” a Microsoft spokesperson said.

Buchanan told The Record that he has looked at the fix and confirmed it addresses the issue.

The researchers said the main concern is for images that include intentionally redacted aspects, like license plates or credit cards.

Microsoft said they gave the vulnerability a low severity rating because “successful exploitation requires uncommon user interaction and several factors outside of an attacker's control.”

“For an image to be subject to this issue, a user must have created it under specific conditions: The user must take a screenshot, save it to a file, modify the file (for example, crop it), and then save the modified file to the same location,” the company said.

“The user must open an image in Snipping Tool, modify the file (for example, crop it), and then save the modified file to the same location. Common use cases like copying the image from Snipping Tool or modifying it before saving it are not affected.”

As an example, Microsoft said if a person takes a screenshot of their bank statement, saves it to their desktop and then crops out their account number before saving it in the same location, the cropped image could still contain your account number in a hidden format that could be recovered by someone who has access to the complete image file.

“However, if you copy the cropped image from Snipping Tool and paste it into an email or a document, the hidden data will not be copied, and your account number will be safe,” they explained, adding that the default Snipping Tool in Windows 10 and older versions were unaffected.