Microsoft to fix Windows 11 'aCropalypse' privacy failure:
Updated Microsoft is said to be preparing to fix the high-profile "aCropalypse" privacy bug in its Snipping Tool for Windows 11.
Users can remove sensitive information or some other parts of photos, screenshots, and other images by cropping them using the Snipping Tool app. The problem is that for the Windows 11 app – as well as Microsoft's Snip & Sketch cropping tool in Windows 10 – the file of the cropped image still includes the cropped out portions, which can be recovered and viewed.
A similar flaw was found in Google's Markup image-editing app for its Pixel smartphones. According to reverse engineers Simon Aarons and David Buchanan – who named the bug aCropalyse – the problem affects Pixel smartphones since 2018, when the 3 series came out. Google patched its code to avoid leaking cropped areas of images.
Then this week, Buchanan confirmed that the Windows Snipping Tool and Snip & Sketch software had the same issue. If a user cropped a photo or other image using the software and then saved the edited image over the original file, that file still contains the cropped-out portion. The area isn't visible when viewing the image using normal tools, but the data is still there in the file, and can be restored and viewed using appropriate recovery software.
Steven Murdoch, a professor of security engineering at the UK's University College London, shared some thoughts here on the underlying issue within Windows, specifically its latest Save File API, which he described as "defective by design."
[...] Meanwhile, if you've used Microsoft's code to crop your snaps and then shared them on, be aware someone with a copy of them might be able to recover the lopped-off portions. ®
(Score: 4, Insightful) by Rosco P. Coltrane on Tuesday March 28 2023, @12:22PM (3 children)
But they're still too incompetent to overwrite a file properly.
Today is the dumb future you never expected...
(Score: 4, Insightful) by Mojibake Tengu on Tuesday March 28 2023, @12:53PM
I did.
Though for decades, everyone denounced me as paranoid pessimist.
My life credo: You are never paranoid enough.
Frankly, how user files could be ever overwritten, if they reside in clouds, forever criminate?
Respect Authorities. Know your social status. Woke responsibly.
(Score: 1, Funny) by Anonymous Coward on Tuesday March 28 2023, @01:16PM (1 child)
Not that I have any big secrets here, but I didn't see any mention of this problem for the Snipping Tool in Win7 (which I use occasionally). The links in the fine article only mention Win 10 & 11.
Anyone know if the bug goes back as far as Win 7 (Pro)? I know I'm not alone in still using 7...
(Score: 2) by RS3 on Tuesday March 28 2023, @09:22PM
Says the Anonymous Coward.
(as I'm sitting here writing this on Win7...sigh.)
(Score: 5, Funny) by Zinho on Tuesday March 28 2023, @12:51PM (1 child)
Poe's Law is rearing its ugly head: I laughed when they issued an "uncrop" command during photo analysis in the show Red Dwarf: Back to Earth. [youtube.com] Less funny now.
Maybe Microsofties are fans of Sci-Fi Britcoms?
"Space Exploration is not endless circles in low earth orbit." -Buzz Aldrin
(Score: 2) by captain normal on Tuesday March 28 2023, @06:07PM
It's not a bug, it's a feature. Everyone should be able to undo stupid mistakes.
When life isn't going right, go left.
(Score: 3, Interesting) by Runaway1956 on Tuesday March 28 2023, @02:41PM (1 child)
Easy solution, right? Instead of saving your edited file on top of the old file, create a new file. I don't do much of this type of thing, but I always create a new file, instead of saving the old file. I would much rather have 26 versions of the same file, from which I can pick and choose, than to lose access to the original. Added benefit here, random people can't recover the data you erased, or peek under the stuff you added to the file.
(Score: 0) by Anonymous Coward on Tuesday March 28 2023, @03:33PM
Is there anyone here with suitable tools (and a Win 10/11 machine) to confirm that "saving as" to a new file fully removes the cropped portion of the original snip? Given that this is Windows, it may or may not work as expected...
(Score: 2) by RamiK on Tuesday March 28 2023, @08:39PM
PDFs have crop and bleed boxes (and a few more I can't be ass'ed to google) that can crop parts of the page losslessly as well as separate page (and image) transformation that can similarly crop away content. Even better, PDFs have a whole document level lossless editing feature where corrections done to the PDF post-production are added at the bottom of the file as separate corrections you can then undo... Fortunately most software libraries ignore that and just do lossy editing. But, ironically, it's required for forms and signage which, amusingly, meant you could/can edit signed documents after they've been signed under some not-entirely-rare circumstances.
Oh, you also have image masks as separate images so if you exported a layered source (say, psd) you might be unwittingly leaking blacked out content...
Another cool feature is that some, but not all, image embedding also included any meta added to the image. Like, jpegs retain the exif tags I believe. But when it comes to bitmaps it will strongly depend on the processing software/library and the source. Anyhow, this is often used to de-anonymize scanned pirated content and construct the "supply chains" behind various groups.
It's why experts who are always so ambivalent about PDF: It does so many cool things and tends to be really efficient so it's gratifying writing code for it but OH BOY if there ever was a tech that needed to die...
compiling...