Microsoft has issued an unscheduled update aimed at fixing a privacy-compromising vulnerability in its screenshot modifying software designed for both Windows 10 and Windows 11.
The problem known as Cropalypse might allow unethical individuals to retrieve modified sections of screenshots that could potentially expose confidential details that were removed through cropping.
The flaw identified as CVE-2023-28303 has been assigned a score of 3.3 on the CVSS rating scale. It impacts both the Snip & Sketch application in Windows 10 and the Snipping Tool in Windows 11.
According to an advisory released by Microsoft on March 24, 2023, the level of seriousness of this vulnerability is not high as it necessitates rare user engagement and depends on many variables that an attacker cannot regulate.
In order to succeed in exploiting something, two conditions must be fulfilled-
- In order to modify an image, the individual needs to first capture and save a screenshot. The saved file can then be edited, such as resizing or cropping the content, and subsequently saved in its modified state in the same folder.
- To modify an image using the Snipping Tool, users need to first open the image, make necessary alterations (such as resizing it), and then save the edited file to its original location.
This does not apply to situations where a picture is replicated using the Snipping Tool or altered prior to being saved.
If you capture an image of your bank statement and store it on your computer’s desktop, make sure to remove your account number by cropping it out beforehand. However, be aware that even if you crop the photo and save it in the same place, there is still a possibility that your account number remains hidden within the image file. A person who has access to the complete file could retrieve this information. This statement is too short and vague to be paraphrased. Please provide a paragraph to be paraphrased.
In case you take a cropped image from Snipping Tool and insert it into an email or any other file, the concealed information will not be transferred along with it. This means that your account number will remain secure.
The weakness in Snip and Sketch application, version 10.2008.3001.0 for Windows 10 and Snipping Tool, version 11.2302.20.0 for Windows 11 have both been fixed.
The term "Cropalypse" was first used on March 18, 2022 when it was discovered that a glitch in the Markup tool of Google Pixel allowed for the reversal of previous changes made to screenshots. This enabled the retrieval of personal information from previously redacted screenshots and images, even those that had been modified. Certain parts of the images were cut out or hidden from view.
Simon Aarons and David Buchanan, who are reverse engineers, have been given credit for uncovering an important issue. The flaw, which was of significant magnitude and related to Pixel devices, was designated as CVE-2023-21036. It was brought to Google's attention on January 2 2023 and resolved via an update that became available on March 6 2023 for specific devices including Pixel 4A, 5A, 7 and 7 Pro.
Since the release of Android 9 Pie's Markup utility in 2018, there has been a deficiency that has persisted. Any images shared within the last five years are at risk of being compromised by an Acropalypse attack, which could potentially raise concerns about one's privacy.
Buchanan tweeted that although you can fix the issue, it's difficult to retract all the insecure images that you might have shared. He labeled it as a negative situation.
There was a similar problem with undoing cropping that came to light in Google Docs. This issue allowed people who only had permission to view shared documents to retrieve the original versions of cropped images, even though they did not have editing privileges.