Windows snipping tool vulnerable to “Acropalypse”

Earlier this week, a vulnerability in Google Pixel phones’ screenshot tool called “Acropalypse” became known. The Windows 11 Snipping Tool behaves the same way.

Create a screenshot or photo, cut away sensitive data using the crop function, save, and upload: This process was able to leave parts of the cut-out information in the saved file on Google’s Pixel phones, for example – the gap has been given the name “Acropalypse”. As Google distributes an update to close the gap, an IT profound the same behavior in Windows 11’s snipping tool.

There’s not much you can do with graphics in the Windows Snipping tool, you can crop them with it. If you save the cropped file with the same name as the original—preceded by a warning dialog asking if you really want to overwrite the existing file—the file size stays the same instead of decreasing.

Acropalypse: Failed to truncate

The behavior can be reproduced very easily. When overwriting, the existing data that was contained in the file after the end of the saved section is retained. This can be easily understood using a hex editor, for example.

An original file for testing was 192 kbyte. After cropping and overwriting, the file size remained unchanged.

File size after overwriting the existing file does not change in Windows 11 Snipping Tool. (Image: Screenshot/dmk)

PNG files use the letter sequence IEND as an end marker. Then you can search in the files:

In the file overwritten with the snipping tool, the PNG end marker is in the middle of the file. This is followed by the data previously contained in the original file. (Image: Screenshot/dmk)

In the file overwritten using the Windows snipping tool, the IEND marker is in the middle of the file. The rest contains the data that was previously there in the original file. They are therefore retained in the file and could therefore contain unwanted information. When saving the file with the new filename using Windows 11’s snipping tool, the file closes as expected with the IEND marker on the line around address 0x5F40.

More Windows tools

However, other Windows tools proceed correctly. Even simply opening and saving the file with the “unnecessary data ballast” with Windows Paint immediately shrinks the file to the correct size. Potentially sensitive, cut-off data is no longer included. Presumably, the necessary change is trivial. The opening of files for writing knows different modes in actually all programming languages: For example “always create new” or “overwrite”. It could be that the developers just chose an inappropriate mode.

Unlike the tool for editing screenshots on Pixel phones, the snipping tool is probably not used as often on Windows. The use of the Paint system tool is likely to be widespread, but it handles the files correctly. Other image processing such as Photoshop or GIMP has also not been suspicious so far. Nevertheless, Microsoft should address the problem quickly and distribute a bug-fixed version of the snipping tool. The fact that the company’s developers know how to do it right is shown by the example of Paint, which even corrects an “oversized file with unwanted content” when it is saved.

If you use the snipping tool, you should not simply overwrite files, but give them a new file name so that you don’t accidentally reveal sensitive information. Files already stored in this way can be corrected with Windows Paint simply by opening and saving them.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s