Windows 10 Snipping Tool is leaking your username and/or your full name

Update October 2021. Microsoft finally fixed this issue in Windows 11 👏
If you are concerned about privacy then you probably know that it isn’t good idea to use your real name as a Windows account name. Not only Windows contains security flaws that can steal your username, but it is prominently displayed on your laptop’s sign-in screen, and any person who is behind you knows your first name and last name.

Windows 10 sign-in
Windows 10 sign-in

Today’s story is about the Windows 10 built-in tool that is used to take screenshots – Snipping Tool. It is a very convenient software utility that allows you to capture full-screen images of your PC’s display or just a window or a part of it.

Windows 10 Snipping Tool
Windows 10 Snipping Tool

It is very easy and convenient to take a snip and share it in the internet. However, when you are sharing it in the form of a JPG image, you are leaking your username or full name (in case you use it as a sign-in or account name in Windows 10). Thankfully the “save as JPG” is not the default setting for saving images, the PNG is. But also note that there is no any option or indication that your name will be embedded into image metadata also known as the Exif Header.

I have created a Capture.jpg image as an example using Windows 10 test account with the name of the fictitious character – Drip Leaker Junior to illustrate the leak. After saving a .jpg image on the storage, click right mouse button on it and choose the Details tab. You will see your name under Authors property.

Capture.JPG properties
Capture.JPG properties

Fortunately there is an option to “Remove Properties and Personal Information” in the same Details tab as shown in the screenshot above. But unfortunately it does not remove information completely. That would be fun if NSA was behind this, but most probably this is just a bug that causes your name leakage hidden from you but visible to any computer savvy person.

So what happens after you click on the “Remove…” link? It asks you to create copy with all possible properties removed or allows you to remove selected properties from the original file. See the screenshot below.

Remove Properties window
Remove Properties window

It doesn’t matter which option you choose, the personal information is not removed. It seems removed if you open the file properties again (right click on the file, and choose the Details tab). But isn’t. Your username/full name is still embedded in the JPG file.

Seems that Authors property is removed
Seems that Authors property is removed

To understand what is happening behind the scenes you will need some file viewer or better – Hex Editor. A program or App that can show contents of any file in the byte or character representation. Using such an app can reveal information that usually is not visible to a naive user.

Now if you look at the original Capture.jpg file using a such tool, you will notice an embedded username in 3 places. See the hex dumps below.

00000850 00 00 00 00 00 00 00 00 ........
00000858 00 00 00 00 00 00 00 00 ........
00000860 00 00 00 00 00 00 00 00 ........
00000868 44 72 69 70 20 4C 65 61 Drip Lea
00000870 6B 65 72 20 4A 75 6E 69 ker Juni
00000878 6F 72 00 00 00 01 EA 1C or....ê.
00000880 00 07 00 00 08 0C 00 00 ........
00000888 08 70 00 00 00 00 1C EA .p.....ê

00001090 00 00 00 00 00 00 00 00 ........
00001098 00 00 00 00 44 00 72 00 ....D.r.
000010A0 69 00 70 00 20 00 4C 00 i.p. .L.
000010A8 65 00 61 00 6B 00 65 00 e.a.k.e.
000010B0 72 00 20 00 4A 00 75 00 r. .J.u.
000010B8 6E 00 69 00 6F 00 72 00 n.i.o.r.
000010C0 00 00 FF E1 0A 6B 68 74 ..ÿá.kht
000010C8 74 70 3A 2F 2F 6E 73 2E tp://ns.

000012A8 79 6E 74 61 78 2D 6E 73 yntax-ns
000012B0 23 22 3E 3C 72 64 66 3A #">Drip
000012C0 4C 65 61 6B 65 72 20 4A Leaker J
000012C8 75 6E 69 6F 72 3C 2F 72 unior</r
000012D0 64 66 3A 6C 69 3E 3C 2F df:li></
000012D8 72 64 66 3A 53 65 71 3E rdf:Seq>

When you use feature “Remove Properties and Personal Information”, it removes last entry, around 012B0 address, but leaves other two untouched. Also, notice 0x00 between characters in the second hex dump. Most probably it is an Unicode version of an author.

Why I didn’t report this bug to Microsoft? I actually did report the same bug for Windows 8 about five years ago, and the fix never came…

So what can you do to prevent your personal information leakage? Maybe stick to the .png format (the default one) which seems to not have this bug. Or try to submit a bug to Microsoft. Perhaps you will have better luck than me.

Software used to in the tests – fully patched Windows 10 Pro 64-bit, Version 1803 (OS Build 17134.167). Hex Editor used – freeware Febooti HEX Editor.

P.S. If you are wondering what happens when you click on the Help link from the Remove Properties window called “What personal information might be in a file?”, it leads to https://go.microsoft.com/fwlink/?LinkId=517009 that redirects to the root page of Windows 10 support – https://support.microsoft.com/en-us/products/windows?os=windows-10 which of course doesn’t have any useful information. This may be related to the fact that somehow Microsoft is not dedicating enough resources to software testing, but that’s the story for another time.