Windows 11 appears to have a security flaw that allows it to recover potentially sensitive data from an edited screenshot. As discovered last week by cybersecurity researchers David Buchanan and Simon Aarons, the vulnerability is in the Snipping Tool.
When capturing the screen using the pre-installed Windows 11 app, you can make quick adjustments — such as cropping, highlighting and drawing — before saving the image. It is common for users to remove certain parts containing sensitive and private data before sharing the file, but in some cases, this may not work.
When the user captures the screen using the Snipping Tool and replaces an existing file after selecting the “Save” option, instead of overwriting the source code of the image and removing data from the original file, the Windows just “hides” the previous information. This issue also occurs when editing an existing image on PC.
TechSmart was able to replicate the security flaw in version 22H2 of Windows 11 (Build 22621.1413). You can see that the different versions of a screenshot — original and cropped — have significantly different sizes, but the overwritten image size of the cropped version is the same as the initial file.
Despite significantly different resolutions, both images have the same file size of 279 KB. Check it out below:
The W3C, a digital content standardization consortium, defines that PNG files must have their source code closed with the “IEND” attribute, and any data inserted after this term is ignored by image interpreter applications — such as Microsoft Photos.
However, when analyzing the codes of the cropped screenshot, it is possible to see that there are several lines of code written after the “IEND”, such that they refer to the “hidden” content of the original version of the image.
The photo viewer ignores these lines, but using appropriate tools, it is possible to rearrange the data and recover the image. Interestingly, this security flaw only occurs with Windows 11. The original version of the Snipping Tool, which was shipped in Windows 10, does not have this issue.
The new vulnerability is discovered weeks after a similar flaw occurred with Google cell phones. Users have discovered that the “Pixel Markup” feature performs the same change in the source code of the image, allowing advanced recovery tools — such as “Acropalypse” — to restore the image to its original state.
For Google, this has become a zero-day security flaw, but there are still no real applications that pose similar risks to Windows users, so it is recommended that screenshots with the operating system’s native tool be stored as a new file, without overwriting an original version.