Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Snipping Leaks

Published: 2012-11-30
Last Updated: 2012-11-30 17:44:56 UTC
by Daniel Wesemann (Version: 1)
0 comment(s)


ISC reader Phil asked a great question earlier today: "I'm wondering if there are data leakage concerns with screenshot tools such as MS Snipping Tool, if such tools have metadata in any of the formats they support".

Well, yes, they do.

Screenshots taken with the MS Snipping Tool and saved in JPG format contain both an EXIF and XMP header. You can look at what's in there for example with Phil Harvey's excellent ExifTool (http://www.sno.phy.queensu.ca/~phil/exiftool/)

The leakage is nowhere near as extensive as what is often found in MS Office documents, but it is definitely present. Among lots of information that describe the geometry of the screenshot taken, the more interesting fields include the name of the user who created the "snip", as well as the time stamp. The name is the full user name as configured for the respective windows account. If you want to surreptitiously post an image somewhere under a pseudonym, that's definitely a point to keep in mind ;).

EXIF and XMP tags can be readily removed - again using ExifTool, a simple "exiftool -ALL= image.jpg" will remove all meta tags from the image. Exiftool is friendly enough to create a backup named image.jpg_original, in the rare case something goes wrong in the process.

If you use other screen capture tools and have information on the meta data that gets stored together with the capture, please comment below or via our contact form.
 

 

Keywords: exif Leak metadata xmp
0 comment(s)
Diary Archives