Recently, we heard of a vulnerability in the screenshot tool of Google's Pixel phones, referred to as aCropalypse, which can result in revealing sensitive information through screenshots, even without the user realizing it. As it turns out, Google isn't the only one with this issue, as the Snipping Tool app in Windows 11 suffers from the same problem.
If you're not familiar with aCropalypse, it's a vulnerability that allows almost anyone to undo the edits you've made on a screenshot, revealing information you've potentially cropped out or blurred in a screenshot. When you edit a screenshot, you might save it with the same name as the original file, overwriting it. However, as it turns out, the Windows 11 Snipping Tool doesn't delete the original information from the file, and just leaves it appended at the end, in a way that's not usually visible to users. With some trickery, a potential attacker can retrieve the hidden information from the file and see whatever information was edited out.
After the original discovery was shared in regard to Pixel phones, Twitter user Chris Blume chimed in with a report that suggested the same was happening on Windows 11. Since then, David Buchanan (who penned the original blog post explaining the vulnerability on Pixel phones) confirmed that it works almost exactly the same way with the Windows 11 Snipping Tool, albeit the app uses a different color model. You can verify this by looking at the file size, as edited screenshots will likely be much larger due to including the information from the original image.
This is a pretty serious vulnerability considering it's not uncommon for users to crop out or blur sensitive information in images of things you want to share. For example, if you share a screenshot of an order confirmation page on Amazon, it might include your address, and even if you cropped it out, this makes it possible for someone to potentially find that information anyway. You can apply that logic to things like credit card numbers and other sensitive data, too.
Now that the vulnerability is out in the open, a fix should hopefully be issued soon. However, your existing edited screenshots will still be affected, so you may want to go back and take a look at anything that might expose personal details, as attackers are no doubt going to be looking for potential victims.
Source: Chris Blume (Twitter) and David Buchanan (Twitter)