back to article Microsoft scrambles to fix Windows 11 'aCropalypse' privacy-battering bug

Microsoft is said to be preparing to fix the high-profile "aCropalypse" privacy bug in its Snipping Tool for Windows 11. Users can remove sensitive information or some other parts of photos, screenshots, and other images by cropping them using the Snipping Tool app. The problem is that for the Windows 11 app – as well as …

  1. Doctor Syntax Silver badge

    It seems to be a general thing with "cropping" tools. I had the task of turning some Word documents of books into PDFs. The files turned out to be much bigger than expected, largely because the supposedly cropped images weren't. In one case several different faces had been "cropped" out of a larger image. The entire image was embedded several times. I think there must be a misconception amongst devs that "crop" really means "frame" as that's what seems to be happening. Fortunately Gwenview did a proper cropping job for me (other FOSS image editing tools are available).

    1. Tom Chiverton 1

      Nope, read the write up on the android issue. The file open mode was changed from implicit truncate on write to explicit, thus foot gunning all the clients.

      1. that one in the corner Silver badge

        > thus foot gunning all the clients.

        WRT the Android bug, I've been a bit weirded out that (so far) everyone I've seen discussing it is *only* talking about how that can affect images, when it can clearly affect *any* data where the new data is shorter than the old. Just as long as there is an EOF mark or "chunk size" field which tells the normal file loader/parser/displayer to stop. Even down to plain text, if the EOF character(s) are being correctly honoured.

    2. that one in the corner Silver badge

      Why expect the PDF converter to do more than Word did?

      > I think there must be a misconception amongst devs that "crop" really means "frame"

      Programs like Word will clearly only set a view onto any image that you drop into a document, keeping the entirety of the original image within the document. Otherwise, you would not be able to go back into the document and still be able to change your mind about how to present the image in document (e.g. decide you want to alter the crop to match some change in the text).

      When converting the document to a PDF, the simplest (as in, least likely to go wrong) option is just to do the dame as Word: set up a view onto the original data. And not attempt to scan the document to see if it contains multiple copies of the same image and try to perform any extra optimisations that Word hasn't bothered to do.

      Unless there an explicit claim somewhere within the documentation (or sales blurb) that the PDF converter is going to space-optimise the result (as some products do) then the PDF converter has done exactly what it promised to do, no more and no less.

      1. Doctor Syntax Silver badge

        Re: Why expect the PDF converter to do more than Word did?

        I didn't. The Word files were already bloated by uncropped images.

    3. Sorry that handle is already taken. Silver badge

      It should be reasonable to expect that your edits get "solidified" when you save or print to PDF and the hidden parts of images do get deleted...

      I recall that an Australian police unit once made this same mistake in a terrible way by embedding cropped images of child abuse material in reports that they had produced: https://www.theregister.com/2004/11/26/oz_police_abuse_pics_mistake/

    4. Ozan

      I remember Word had a function that removes that cropped sections from file. I remember you have to find it and run it as well. Nothing automatic. Word keeps the original file by default.

      1. MaddMatt

        The Function to remove the cropped out portions of "cropped" images still exists - "Compress Pictures" on the picture format ribbon. Has anyone checked it works as intended?

  2. Anonymous Coward
    Anonymous Coward

    I don't mean to sound snippy, but...

    I wonder if 'selection' screenshots have the same problem. Do they actually define the captured pixels within the selection boundary or are they just taking a screenshot of the whole screen and then cropping to the selection boundary?

    1. Anonymous Coward
      Anonymous Coward

      Re: I don't mean to sound snippy, but...

      I can't vouch for Windows, but the screenshot tools on Mint & MX Linux did it properly for me.

      The only sensible approach is to always save explicitly to a new file when cropping.

      Mind you this sort of idiocy makes me wonder if even that is guaranteed to work in the long run.

    2. NATTtrash

      Re: I don't mean to sound snippy, but...

      Call me a grumpy old person, but are we absolutely sure this is a bug? Since for "some" deleting data is heresy... Not profitable...

    3. CatWithChainsaw
      Joke

      Re: I don't mean to sound snippy, but...

      Snippy? I see what you did there.

      1. 43300 Silver badge

        Re: I don't mean to sound snippy, but...

        "Snippy? I see what you did there."

        It looks like you are trying to remove part of an image. Snippy can help fuck the process up for you...

  3. John Brown (no body) Silver badge

    It beggers belief...

    It beggars belief that devs could get something as simple as image cropping so badly wrong. What the fuck were they thinking? Did not ONE of them notice the file sizes not changing or not reducing enough?

    It's bad enough when users embed huge images into Word documents and then scale them using Word and the entire huge image is still there instead of being actually scaled to the size the user chose. But this is a whole other level of shitty programming!

    I'm left speechless!

    1. sgp

      Re: It beggers belief...

      In Word (and PowerPoint) you are supposed to use the compress pictures tool to remove cropped parts and size them down. I actually find this useful in a text editor because it allows you to revert the crop or resize the images before finalizing the document. You can always use an image editor of course.

      With respect to the first part of your comment, 100% agree.

      1. John Brown (no body) Silver badge

        Re: It beggers belief...

        I can see why it's not finalised during the editing stage, I can also sort of see why it may not be finalised just because you save it since you may not actually be finished editing it, so maybe it needs to be made clearer to the users when and how to use the "compress image" tools. Maybe Yet Another Pop-Up(tm) reminding the user every time they same?

        Ta for the info :-)

      2. Mage Silver badge
        Linux

        Re: It beggers belief...

        Actually save source. Edit source in a real image editor, save a copy. Embed the new copy in other program such as wordporcessor, indesign, PDF editor, slideshow etc.

        Madness to process images in a toy app, PDF editor or wordprocessor or powerpoint etc.

      3. Doctor Syntax Silver badge

        Re: It beggers belief...

        The problem here is not with what's done and why. It's with the term "crop". If that's what's offered to the user then it's reasonable to expect the user to think that that's what will happen. What's actually happening would be better described as "frame".

        LibreOffice Writer acts in the same way and the compress option only affects the image's resolution, not its boundaries.

    2. Anonymous Coward
      Anonymous Coward

      Re: Win11 TPM and Secure boot, makes zero difference to poorly written signed code.

      This is a great example of how poorly written, signed Microsoft code, creates significant data security issues (and complacency), where TPM and Secure Boot won't save you. Reliance on TPM and Secure Boot make zero difference, in these cases, if the code is signed and poorly written, you're f'ck'ed.

      Poorly written (clearly) untested code in terms of quality assurance, seems to be the staple diet of Microsoft's programming teams, it's now all about 'throwing jelly out the door' and see what sticks.

      Anyone with half a brain can see where Nadella/Panay are taking the Windows product line, and it's not anywhere good.

      The main question, for those that roll out this MS shite day in, day out, is how - as an order of magnitude better, does the Linux desktop have to be, before finally we all say enough is enough, and ditch Windows for good.

      Linux Desktop is good enough to do the drudge. Its biggest problem (that isn't a problem of the product in itself), is it doesn't have the marketing power of Windows, that is its only problem in all of this.

      The key probably lies with Nvidia. If Nvidia were to get behind Linux fully, in terms of its drivers, and become the graphics card of choice for Linux, open and friendly, Windows could start to have a real battle on their hands, in terms of those jumping ship.

      1. that one in the corner Silver badge

        Re: Win11 TPM and Secure boot, makes zero difference to poorly written signed code.

        With one mighty bound...

      2. Mage Silver badge

        Re: Win11 TPM and Secure boot, makes zero difference to poorly written signed code.

        The Linux desktop was good enough 15 to 25 years ago. The problem is either Windows only business programs (payroll, accounts etc) or one-of-a-kind programs only on Mac and Windows.

    3. captain veg Silver badge

      Re: It beggers belief...

      I imagine that the intention was to persist "undo" functionality across a Save/Close/Open cycle.

      This is very old news. Excel was in the frame for similar behaviour several decades ago. It was by design. Some people might even find it useful.

      -A.

  4. aerogems Silver badge
    Holmes

    I wonder

    Given Google had an almost identical issue with Android, and how common it is for employees to move between the likes of Microsoft, Google, Apple, and Amazon... if maybe a single person was responsible for this. The code all seems to take the exact same shortcut, just stuffing an end code in the middle of the file and not actually trimming off the rest, which sounds like it might be the "handiwork" of a single person.

    1. David 132 Silver badge
      Happy

      Re: I wonder

      Oh, surely they can't all be copying-and-pasting the same "solution" from Stack Overflow?

      1. Anonymous Coward
        Anonymous Coward

        Re: I wonder

        Nah - they just asked the same AI.

    2. that one in the corner Silver badge

      Re: I wonder

      Ignoring the fact that the Android issue is that the OS changed its behaviour and stopped truncating the files, breaking the programs.

    3. Dan 55 Silver badge
      Devil

      Re: I wonder

      I'm pretty sure it's just down to agile development in both cases - bits of code given to whoever's free but nobody's really got an overall view of the software and how it should work.

  5. Jou (Mxyzptlk) Silver badge

    I always use paint.

    The snipping tool still does not have a straight line, a rectangle, a circle. Draw over something looks like a toddler was at work. Therefore: Snip, copy, paste in mspaint, hide the data, copy, paste in mail.

    1. Sorry that handle is already taken. Silver badge

      Re: I always use paint.

      If you're already using MS Paint, you can skip the snipping tool step altogether by using PrtSc or Alt+PrtSc and then cropping in Paint itself

      1. Jou (Mxyzptlk) Silver badge

        Re: I always use paint.

        I only the the prt-scr way when I have to. Two reasons:

        1. Homeoffice is 1920x1080 Laptop + 3840x2160 indecent large 4k screen (zoom set to 100%).

        2. Work office is 1920x1080 Laptop + 2*2560x1440 27" screens (zoom set to 100%)

        Hitting prt-scr gives me either 3840x3240 or 7040x1440, not so good to handle in paint for pre-crop - you have to use the zoom 50% or 25% else you can't. On top I have so much desktop space I rarely use any window in full screen or in the "ordered corners", so a full screen screens-shot would be useless anyway. And I need way too many windows open, ordered + cascaded around.

        1. Sorry that handle is already taken. Silver badge

          Re: I always use paint.

          Fair enough! You might already be aware of this, but Alt+PrtScr takes a screenshot of the active window only. This is the mode I use the vast majority of the time (and what IME most people who use the snipping would be better off doing anyway). It obviously doesn't help if you want a shot of more than one of your open windows, though.

          1. Jou (Mxyzptlk) Silver badge

            Re: I always use paint.

            I know and use that at home more than at work. At work: Most of the time no.

            It does not work as expected if you have windowed RDP session, and quite often, due to security separation reasons, several nested RDP-Citrix-RDP sessions.

            Or try a alt+prt-scr on a vmware web console when you want only the VM, and not the rest.

            Or even worse: Try capturing something that acts on "alt", like a context menu or something similar going away wen pressing alt.

            Yes, all that sh* is real life experience. Shows my age, my first own computer was a C16.

  6. Gene Cash Silver badge
    FAIL

    aCropalyse

    Can we stop this immature business of giving bugs stupid and childish names?

    1. Dacarlo

      Re: aCropalyse

      Why do you want to take away our only source of joy! Coming up with pun-worthy and pithy project/cockup names is literally half the fun for me.

    2. Anonymous Coward
      Anonymous Coward

      Re: aCropalyse

      Better still, can we stop this immature Microsoft business model of throwing code out the door, before it's being tested.

      1. Anonymous Coward
        Anonymous Coward

        Re: aCropalyse

        The oceans will be at least a meter higher before that will happen.

        1. Anonymous Coward
          Anonymous Coward

          Re: aCropalyse

          so in about 4 hours, at high tide, then?

    3. Alligator

      Re: aCropalyse

      It would help if you and the article's author got the name of the bug right in the first place, though I note that the headline writer, presumably a sub-editor, managed to include the second p.

    4. Ken Moorhouse Silver badge

      Re: aCropalypse

      Acrapolapse seems somehow more appropriate.

      1. BenDwire Silver badge
        Holmes

        Re: aCropalypse

        I think you meant Acraprolapse

  7. TVC

    This sort of issue has been around for decades.

    Just make the assumption that when you save any sort of edited object, that at least a smell of the old one will be left behind. Save it into a new file or even re-snip it.

  8. AndrueC Silver badge
    Facepalm

    What's wrong with loading the image into Paint, select an area then copying and pasting it? That's all we had in my day :)

    Although MS have managed to bugger up Paint as well on Win 11. They've failed to implement accelerator keys (what happened to accessibility rules, eh?) and it has other daft quirks that make it less pleasant.

    I use Paint quite a lot. Am an artist? Nope. Programmer. I use Paint because it has proved the quickest and easiest way to grab a screen shot of a Visual Studio window so if I want to keep some information for review I launch it, [Alt][Prt Scr] then paste into Paint. It's kinda sad that there isn't a better way built into VS but then VS never was very user friendly. Powerful, yes. But in terms of usability pretty shite really.

    Still it does you good to laugh and MS sure is a great source of humour. If you can get past the irritation.

    1. Boris the Cockroach Silver badge
      Coat

      Quote

      "Still it does you good to laugh and MS sure is a great source of humour. If you can get past the irritation."

      So are hemmeroids.... and m$ knows all about being a PITA

      Doctor's coat....

    2. captain veg Silver badge

      Re: Programmer

      Same here.

      I can only imagine that Paint was designed by programmers rather than creatives. As a programmer I want to know the dimensions of the image and the RGB values of each pixel. Creatives don't. They're doing perverse stuff with shapes and layers.

      -A.

  9. Rich 2 Silver badge

    WTF????

    “the file of the cropped image still includes the cropped out portions”

    I’m trying to comprehend how brain-dead moronic you need to be to code something like this. I’m struggling

    Unless this behaviour was the spec given to the softie, in which case I’m struggling to comprehend how brain-dead moronic you need to be to spec this

  10. Mage Silver badge
    Facepalm

    See also Metadata

    See also ejits uploading to social media without removing sensitive metadata / EXIF etc. The SM sites archive it and some then strip it, inc © text to make life easy for scraping.

    1. SuperGeek

      Re: See also Metadata

      Downvoted you because that's not fair. How are everyday users supposed to know what the hell Metadata, or EXIF actually is?

      1. Gene Cash Silver badge

        Re: See also Metadata

        Because it's part of using a camera?

        But then I guess they just go "it's magic!!" when Photoshop displays the aperture, time, flash mode, etc on an image.

        I'm getting real tired of "oh the computer just knows!" from people that are actually rather smart and should know better if they spent 1/10th of a second on it.

        Edit: and it's had real world consequences when someone advertises something expensive for sale and people get the location from the image to steal it. Or people finding a scammer and coming to beat him up.

    2. captain veg Silver badge

      Re: See also Metadata

      I don't use social media sites, but I'm sometimes asked by people who do to explain why what they posted is not what their friends see. And it's always because the site doesn't merely insert the uploaded media files verbatim, but "optimises" them by stripping out metadata and resizing/resampling images.

      Quite often this means that the images are displayed portrait instead of landscape or vice versa. Which is annoying. To the poster.

      -A.

  11. Anonymous Coward
    Anonymous Coward

    The original report was heavily redacted

    ….with nice black oblongs placed over the secret text…

  12. Ideasource Bronze badge

    User negligence

    If you don't vet the behavior go to software tools you use, you are the equivalent of someone who buys a car on Craigslist without checking the mechanics that then proceeds to try and drive it from California to New York.

    "I don't know why I got stranded in the middle of nowhere I close my eyes and made sure not to look at anything.

    1. Jellied Eel Silver badge

      Re: User negligence

      If you don't vet the behavior go to software tools you use, you are the equivalent of someone who buys a car on Craigslist without checking the mechanics that then proceeds to try and drive it from California to New York.

      Most apps (or even operating systems) don't really let you peek under the hood. So how would you check, other than maybe looking at the file size? Sometimes systems are too smart for their own good. I saw another strange MS feature this morning. I have a desk clock that was still showing GMT/UTC. Windows fired up and told me the time was GMT+2. Clock settings were set to London, auto DST on, and for whatever reason it decided to tack on another hour.

    2. captain veg Silver badge

      Re: User negligence

      I know not this "Craigslist", but car manufacturers and their lackeys in the media have been feeding us for years the idea that "modern" motors just work. And, to be fair, mostly they do.

      Since you mention California and New York, the often cited "reason" for American cars to have massively over-capacity and under-efficient engines was always for reliability. Surely you are not suggesting that it isn't so?

      -A.

  13. Anonymous Coward
    Anonymous Coward

    That version of Snipping Tool (11.2302.20.0) is in W11 RP Insider ring now, so not limited to Canary if it is indeed fixed.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like