Microsoft has released an out-of-band update to address a privacy-invading flaw in its screenshot editing tool for Windows 10 and Windows 11.
of problem,dubbing Acropallipsea malicious actor may be able to recover the redacted portion of the screenshot, potentially revealing sensitive information that may have been cropped.
tracked as CVE-2023-28303, the vulnerability is rated 3.3 on the CVSS scoring system. This affects both the Snip & Sketch app on Windows 10 and the Snipping Tool on Windows 11.
In an advisory released on March 24, 2023, Microsoft stated, “Successful exploitation of this vulnerability requires unusual user interaction and several factors beyond the control of an attacker. Therefore, the severity of this vulnerability is low.”
Two prerequisites must be met for the exploit to succeed:
- The user must take a screenshot, save it to a file, modify the file (for example, crop it), and then save the modified file to the same location.
- The user must open the image in the Snipping Tool, modify the file (for example, crop it), and then save the modified file to the same location.
However, it does not affect scenarios where the image is copied from the Snipping Tool or modified before saving.
“If you take a screenshot of your bank statement, save it to your desktop, and then crop the account number before saving it to the same location, the cropped image will contain the account number in a hidden form that someone can restore. Who has access to the full image file?” explains Microsoft.
“However, if you copy the cropped image from the Snipping Tool and paste it into an email or document, the hidden data will not be copied and your account number will be safe.”
This vulnerability was resolved in Snip and Sketch in-app version 10.2008.3001.0 installed on Windows 10 and Snipping Tool version 11.2302.20.0 installed on Windows 11.
aCropalypse was first revealed on March 18th, 2022, when a bug in Google Pixel’s markup tool allowed you to retroactively undo changes introduced in screenshots, allowing you to see what was edited. It turns out that personal information can be recovered from edited screenshots and images, including: It was cropped or the content was masked.
Reverse Engineers Simon Aarons and David Buchanan discovered this issue.
Discover the hidden dangers of third-party SaaS apps
Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions granted and how to minimize the risks.
reserve a seat
A Pixel-related high-severity flaw, tracked as CVE-2023-21036, was reported to Google on January 2, 2023 and was released on March 6, 2023 for Pixel 4A, 5A, 7, and Fixed by 7 Pro update. device.
This shortcoming has existed since the Markup utility was released in Android 9 Pie in 2018, and images already shared in the last five years are vulnerable to Acropalypse attacks, potentially raising privacy concerns. I have.
“You can patch it, but you can’t easily unshare every vulnerable image you may have sent,” Buchanan said. Said In a tweet, he described it as “bad stuff.”
A similar issue with reversible cropping was recently revealed in Google Docs, allowing users with read-only access to restore the original version of cropped images in shared documents, even without editing privileges. I was.
