← Back

What is aCropalypse? The screenshot crop bug explained

aCropalypse is a 2023 vulnerability, tracked as CVE-2023-21036, in which a screenshot editor that cropped or redacted an image and then saved over the original file left the cropped-out pixels recoverable inside the saved file. Security researchers Simon Aarons and David Buchanan found it in Google's Pixel Markup editor, and a matching flaw turned up in Microsoft's Windows screenshot tools. The lesson outlives the bug: cropping is not deletion, and saving over an original can keep a copy of what you meant to remove.

Where the name comes from

The name is a pun on "crop" and "apocalypse," and it fit, because the thing people trusted to hide information was quietly keeping it. You crop a screenshot to cut out a card number or a face, share the smaller image, and assume the removed part is gone. With aCropalypse it was not. The cropped-out region could be pulled back out of the file you shared, because the edit had shrunk the picture without shrinking the file it was written into.

Which tools and devices were affected

Two families of screenshot editor were hit: Google's Pixel Markup on Android and Microsoft's built-in Windows tools. macOS was not affected. The table lays out who leaked what, and what the fix was.

ToolPlatformWhat could leakCVEFixed
MarkupAndroid (Pixel)Cropped or redacted parts of screenshots edited since about 2019CVE-2023-21036March 2023 Android update
Snipping ToolWindows 11Cropped parts of a screenshot saved over the originalCVE-2023-28303Emergency update, 2023
Snip & SketchWindows 10Same save-over-original leak as the Windows 11 toolCVE-2023-28303Emergency update, 2023
Preview and ScreenshotmacOSNot affected by this bugNonen/a

On the Pixel, Markup arrived with Android Pie in 2018 and the flaw was live from around the 2019 releases onward, so several years of edited screenshots were potentially exposed. Microsoft's Windows 10 and Windows 11 tools had the same class of mistake, tracked under its own identifier, CVE-2023-28303.

How the bug actually worked

aCropalypse was not clever cryptography. It was a file-handling mistake. When you cropped a screenshot, the editor wrote the smaller new image back into the same file, but it opened that file in a mode that does not shorten it. On Android, the code called the file open with a plain write flag ("w") where it needed a write-and-truncate flag ("wt"). The new image overwrote the start of the file, and everything past the end of the new image, the tail of the original, was simply left behind.

A PNG has a clear end marker, so a normal viewer stops reading at the end of the new, smaller image and shows you the cropped result. It looks clean. But the leftover bytes of the original are still sitting in the file after that marker. A tool that knows to keep reading past the end can recover them, which is exactly what Aarons and Buchanan demonstrated.

How much could actually be recovered

This is where most explainers overstate it. aCropalypse did not guarantee a clean, full un-crop of every image. Recovery was often partial. How much came back depended on how much smaller the edited file was than the original, because that is how many of the original's trailing bytes survived.

The technical reason is compression. PNG pixel data is deflate-compressed, which leans on back-references to earlier data. The start of that compressed stream got overwritten, so any reference pointing back into the missing part could not be resolved. Buchanan's own write-up put it plainly: in theory an image could be almost all back-references to missing data, but in practice most are not, so you can get an intelligible result most of the time even when some referenced data is gone. The recompression restarts its Huffman coding every 16KB or so, which gives a reliable place to pick the stream back up. So think of it as often recovering most of the hidden content, not always all of it. That is still more than enough to leak a card number, a name, or a face.

Was macOS affected?

No. aCropalypse lived in specific Android and Windows screenshot editors, not in macOS, Preview, or the built-in Screenshot tool. If you edit screenshots on a Mac, this particular bug never touched you.

The reason it is still worth understanding on a Mac is that the root cause is not platform-specific. Any editor on any system that saves a smaller edited image over a larger original can, in principle, leave the old data behind. The safe habit is the same everywhere: export a new file after you crop or redact, and never trust a save over the original. If you want the Mac-specific version of doing this correctly, see how to redact a screenshot on a Mac.

Is it fixed, and what about old screenshots?

The live bug is fixed. Google patched Pixel Markup in the March 2023 Android security update, and Microsoft pushed an emergency update for the Windows Snipping Tool and Snip and Sketch. Edits made after updating are safe.

What the patches do not do is repair images you already saved. A screenshot you cropped on a vulnerable version, then posted or sent, still carries the hidden tail. The fix stops new leaks, it does not retroactively scrub files that already left your device. Old shared images are the long-tail risk here.

The real takeaway: cropping is not redaction

aCropalypse is a specific, patched bug, but it points at a bigger habit worth keeping. Cutting content out of the frame does not always destroy it, and covering content up does not either. A blur or a mosaic can often be reversed, and even a solid box can leave the data intact underneath. (For the reversal side of that, see whether you can reverse a blurred or pixelated image.) The dependable rule is to genuinely remove the pixels and write a fresh file, then check that file before you send it.

How ScrubShot avoids this class of bug

I build ScrubShot, a Mac screenshot app designed around redaction, and this exact category of problem is why it behaves the way it does. When you finish an edit, ScrubShot does not save over your original. It writes the finished image to a dedicated folder at ~/Pictures/ScrubShot and to the clipboard, so there is no larger original file sitting underneath the result for trailing bytes to hide in. The save-over-original class of bug simply is not part of the flow.

The redaction itself is built to be irreversible, not merely hidden. Rather than a normal pixelate, where each block is the average of the pixels beneath it and can be solved back, ScrubShot uses a content-independent scramble: each block is filled from pixels sampled at random across the whole selected region, so the pattern holds no relationship to what sat underneath. It is baked straight into the image, on-device, and it reverses to nothing by design. ScrubShot runs on macOS 14 and later, on Apple Silicon and Intel.

FAQ

What is aCropalypse?
aCropalypse is a 2023 vulnerability, tracked as CVE-2023-21036, in which a screenshot editor that cropped or redacted an image and then saved over the original file left the cropped-out pixels recoverable inside the saved file. When the smaller edited image was written, the file was not truncated, so the trailing bytes of the original survived past the end of the new image and could be partly reconstructed.
Which devices and apps were affected by aCropalypse?
Google's Pixel Markup editor on Android, affecting screenshots edited since about 2019, and Microsoft's Windows 11 Snipping Tool and Windows 10 Snip and Sketch (the Windows flaw was tracked separately as CVE-2023-28303). Each one saved a cropped image over the original without shrinking the file. Tools that write a fresh, separate file were not affected.
Was my Mac affected by aCropalypse?
No. aCropalypse was a bug in specific Android and Windows screenshot editors, not in macOS or its Preview and Screenshot tools. It is still a useful lesson for Mac users, because the root cause, saving a smaller edited image over the original file, is not unique to one platform, and cropping is not the same as removing.
Is aCropalypse fixed?
Yes. Google patched Pixel Markup in the March 2023 Android security update, and Microsoft shipped an emergency out-of-band update for the Windows tools. The fixes do not go back and clean images you already saved with a vulnerable version, so a screenshot cropped before the patch can still carry the hidden data.
How do I protect myself from bugs like aCropalypse?
Export a new file after you crop or redact, rather than saving over the original, so there is no larger original left underneath to leak. Treat cropping as reframing, not redaction: the pixels you crop out can survive in the file, so anything secret needs to be genuinely removed, rather than pushed off the edge.

Try it

ScrubShot is a one-time $30 purchase with a seven-day free trial, no account and no card up front. It runs entirely on your Mac.

Get ScrubShot