How to catch leaking pre-edit thumbnails before you publish
- Step 1Confirm you are on a Developer (or higher) plan — This is a Developer-tier tool. On Free, Pro, or Pro + Media the page shows a plan overlay and the dropzone is disabled. Developer raises the per-file limit to 2 GB, comfortably above any deliverable JPEG.
- Step 2Export the final asset as you normally would — Produce the JPEG exactly the way it will be published — same editor, same export preset. The point of this check is to test the real output, not a re-flattened copy, so don't re-save it through another app before checking.
- Step 3Drop the export onto the carver — The dropzone accepts any file type (
*/*) and processes one file at a time — there is no batch mode. Drop the final export you are about to hand off or publish. - Step 4Let the byte-carver scan — The tool reads the file into a buffer and walks it from offset 1 for a
FF D8 FFStart-of-Image that is not the host header at offset 0, then searches forward up to 200,000 bytes for the closingFF D9. There are no options, presets, or controls — the rules are fixed. - Step 5Read the QA verdict — If the panel shows
No embedded thumbnails detected in this file., no JPEG preview leaked — the export passes this check. If it showsblobwith a Download button, a preview survived: download<sourcename>-thumbnails.zipand open eachthumb-N.jpgto see exactly what would have leaked. - Step 6Fix the export, then re-check — If a preview leaked, strip the embedded metadata from the deliverable with exif-scrubber (or fix your export preset to regenerate/strip previews), then re-run the scrubbed file here. A clean 'no embedded thumbnails' result confirms the leak is gone.
What leaks, and what each leak would have exposed
Real export scenarios where a stale preview survives. The carver shows you the leaked preview; the QA decision is yours.
| Edit on the final image | What the stale preview would expose | Caught by a QA scan? |
|---|---|---|
| Skin / blemish retouch | The un-retouched original face | Yes, if the preview wasn't regenerated |
| Logo / trademark removed | The logo still visible in the preview | Yes — common brand-safety failure |
| Colour grade replaced | The original grade in the preview | Yes, when the old preview survives |
| Crop / reframe | The wider original framing | Yes, if the preview predates the crop |
| Export preset strips metadata | Nothing — preview removed on export | Returns 'no embedded thumbnails' (pass) |
| Export preset regenerates preview | A preview that matches the final image | Carves a matching preview (no leak) |
The byte rules the carver applies
Fixed values from the implementation. There are no user-adjustable options.
| Rule | Value | Why it matters for an export QA |
|---|---|---|
| Start marker | FF D8 FF after offset 0 | Finds the embedded preview while skipping the export's own header |
| End marker, window | FF D9 within 200,000 bytes | Closes the carved preview; one with no nearby EOI is abandoned |
| Minimum kept size | greater than 1,024 bytes | A real preview is above this; sub-1 KB runs are dropped as noise |
| Maximum kept size | less than 200,000 bytes | Keeps the preview; a full-size embedded copy over 200 KB is skipped |
| Max thumbnails per file | 16 | Up to 16 carved previews; a 17th is not extracted |
| Output | ZIP of thumb-N.jpg (or a text 'none' message) | A text result means the export passed the check |
Plan, input, and output behaviour
Operational facts for QA-ing an export with the hidden-thumbnail-extractor.
| Aspect | Behaviour | Note |
|---|---|---|
| Minimum plan | Developer | Free / Pro / Pro + Media show a plan overlay |
| Per-file size limit | 2 GB on Developer; unlimited on Enterprise | Far above any deliverable JPEG |
| Files per run | 1 | No batch — QA each export individually |
| Accepted types | Any (*/*) | Exports from any editor or script run the same way |
| Pass condition | No embedded thumbnails detected in this file. | No JPEG preview leaked in the 1 KB-200 KB window |
| Where it runs | Browser only | Unreleased creative never leaves your device and is not retained |
Cookbook
Byte-level walkthroughs of how the carver behaves on real exports. The Input / Result blocks describe markers and sizes, not literal binary.
Retouched portrait export that leaks the un-retouched preview
A beauty retouch was finished and exported, but the editor carried the camera's original EXIF preview into the JPEG. The preview still shows the un-retouched skin.
Input: portrait-final.jpg (host SOI at offset 0)
... main image (fully retouched) ...
APP1/EXIF IFD1 -> preview (un-retouched, 23 KB)
Scan: SOI at offset > 0, EOI within 200 KB,
size 23 KB -> KEEP
Result: portrait-final-thumbnails.zip
thumb-0.jpg (un-retouched -> FAIL QA, fix before publish)
findings.count = 1Logo removal that survived in the preview
A product shot had a competitor's logo painted out for a brand deliverable, but the stale preview still shows it.
Input: product-hero.jpg ... main image (logo removed) ... embedded preview -> logo still visible, 17 KB Scan: 17 KB -> 1 KB < 17 KB < 200 KB -> KEEP Result: product-hero-thumbnails.zip thumb-0.jpg (logo visible -> brand-safety FAIL)
Export preset strips metadata -- QA pass
The export preset removes metadata, so no embedded preview survives. The tool confirms the export is clean.
Input: clean-export.jpg SOI (offset 0) final image ... (no secondary FF D8 FF ... FF D9 in window) Scan: no qualifying embedded JPEG Result (text, not a download): No embedded thumbnails detected in this file. -> export passes the QA check.
Preset regenerates the preview -- matching, no leak
The editor rebuilt the preview from the final image on export. A preview exists but matches the deliverable, so nothing pre-edit leaks.
Input: regenerated.jpg SOI (offset 0) final image ... regenerated preview -> matches final, 15 KB Scan: preview in bounds, matches the deliverable Result: regenerated-thumbnails.zip thumb-0.jpg (matches final -> no pre-edit leak)
Fail -> strip -> re-check loop
Standard remediation: a leak is found, the deliverable is scrubbed, and the re-check confirms the leak is gone before publishing.
Step 1 -- QA the export (this tool): drop deliverable.jpg get thumb-0.jpg (un-retouched) -> FAIL Step 2 -- strip the metadata: open /image-tools/exif-scrubber drop deliverable.jpg -> removes EXIF incl. preview Step 3 -- re-check here: drop the scrubbed file get "No embedded thumbnails detected" -> PASS, publish
Edge cases and what actually happens
Export passes the check (no preview leaked)
PassWhen the scan finds no secondary FF D8 FF ... FF D9 stream in the 1 KB-200 KB window, the result is the text No embedded thumbnails detected in this file. and there is nothing to download. For a QA gate this is the desired outcome — no pre-edit JPEG preview survived in the export. It does not certify the file is free of all other metadata, only that no carvable preview leaked.
A preview is carved but it matches the final image
No leakIf the export preset regenerated the preview from your final image, the carver will pull a thumb-N.jpg that matches the deliverable. That is not a leak — compare it to the published image. Only a preview that differs from the final exposes a pre-edit state.
Preview stored as PNG, GIF, or BMP
Not detectedThe carver recognizes only the JPEG marker FF D8 FF. A non-JPEG preview is not found, so the export could report a pass while still carrying a non-JPEG preview. For a fuller picture of the file's contents, inspect it with hex-header-inspector or magic-byte-validator.
Embedded JPEG larger than ~200 KB
By designAn embedded JPEG of 200,000 bytes or more is skipped, because the upper bound restricts output to thumbnail-scale previews. A full-resolution embedded copy is not extracted by this carver; inspect the raw bytes with hex-header-inspector if you suspect one.
Embedded JPEG smaller than 1 KB
By designCarved streams of 1,024 bytes or fewer are rejected as likely-coincidental byte patterns. A genuine but unusually small preview just under 1 KB would also be dropped, so a tiny preview could slip past a QA scan.
Missing or far-away End-of-Image marker
SkippedAfter a start marker the carver searches forward at most 200,000 bytes for the closing FF D9. A preview with no EOI in that window is abandoned, so a damaged-but-real preview may not be flagged.
More than 16 previews in one file
TruncatedThe result is capped at the first 16 carved JPEGs in byte order. An asset round-tripped through many tools could exceed this; a count of 16 should be read as 'at least 16'.
You re-saved the export before checking
Test the real outputRe-saving the deliverable through another app before the QA scan can regenerate or strip the preview, hiding a leak that exists in the file you will actually publish. Always check the exact export that ships, not a re-flattened copy.
File exceeds your plan's size limit
RejectedDeveloper caps each file at 2 GB; a larger file is rejected before scanning. Deliverable JPEGs are far smaller, but the whole file is read into memory first, so a very large input is RAM-bound on a low-memory device.
The export file you check stays unchanged
PreservedExtraction is read-only — the tool reads the bytes through the browser and never writes back, so the export stays bit-identical and your QA step doesn't alter the deliverable. To prove it, hash before and after with multi-hash-fingerprinter.
Frequently asked questions
Why do my exports sometimes carry a pre-edit preview?
Cameras embed a small JPEG preview for fast gallery rendering. Depending on the editor and export preset, that preview is either regenerated from your final image or carried over untouched from the capture. When it carries over, the published file keeps a tiny copy of the before-edit state.
How do I use this as a QA gate?
Export the deliverable exactly as it will ship, drop it here, and read the verdict. No embedded thumbnails detected in this file. means no JPEG preview leaked and the export passes. A downloadable ZIP means a preview survived — open it to see what would have leaked.
What counts as a pass versus a fail?
A pass is the 'no embedded thumbnails' text, or a carved preview that matches your final image. A fail is a carved preview that differs from the final — an un-retouched, un-cropped, or un-recolored copy — because that pre-edit state would publish with the file.
Does checking the export modify the deliverable?
No — extraction is read-only. The tool reads the bytes via the browser and never writes back, so your export stays bit-identical. Confirm with multi-hash-fingerprinter by comparing the hash before and after.
If it finds a leak, how do I fix it?
Strip the embedded metadata from the deliverable with exif-scrubber, or adjust your export preset to regenerate or remove previews, then re-run the scrubbed file here. A clean 'no embedded thumbnails' result confirms the fix.
Should I re-save the export before checking it?
No. Re-saving through another app can regenerate or strip the preview and hide a leak that exists in the file you will actually ship. Always QA the exact export that gets published.
What format are the extracted previews?
Always JPEG. Each carved stream is a JPEG, so the files in the ZIP are named thumb-0.jpg, thumb-1.jpg, and so on, regardless of the export's type.
Can I QA a whole batch of exports at once?
No. The tool runs on one file per pass and names the output ZIP after that single file. Check each export individually.
Do I need to set any options?
No. There are no controls, presets, or format pickers — you drop one file and the carver runs with fixed rules. Only embedded JPEG previews between 1 KB and 200 KB are extracted.
What plan do I need and how large can the file be?
It is a Developer-tier tool. Developer allows files up to 2 GB and Enterprise removes the cap; Free, Pro, and Pro + Media show a plan overlay and cannot run it. Deliverable JPEGs are well within these limits.
Is my unreleased creative uploaded anywhere?
No. Everything runs in your browser — bytes are read, scanned, and zipped locally and nothing is uploaded or retained. Client work never leaves your machine during the check.
Does a clean result mean the file has no metadata at all?
No. It only means no JPEG preview between 1 KB and 200 KB leaked. The file may still carry other EXIF, XMP, or non-JPEG previews. To inspect the full picture, pair this with hex-header-inspector and magic-byte-validator, and strip metadata with exif-scrubber.
Privacy first
Every JAD Security operation runs entirely in your browser. Files, passwords, and PGP private keys never leave your device — verified by zero outbound network requests during processing.