Pierre Bourdon
CVE-2023-21036 / acropalypse is absolutely bonkers. Apparently for 5+ years the cropping / editing tools for screenshots on Google Pixel phones was only overwriting the start of the screenshot PNG file, but not truncating. All screenshots shared for the past 5+ years might have data recoverable from them. Demo available at https://acropalypse.app/ Google still hasn't communicated anything on this. (h/t ItsSimonTime on Musk's site) 102 comments
Pierre Bourdon
Another one showing how a smaller crop can end up revealing even more of the original screenshot image. 
Pierre Bourdon
@marnanel it's all client side, nothing gets uploaded. At least in its current version I was using. 
Natty :butterflyN:
@delroth@mastodon.delroth.net You would assume it would be common sense not to do this 
:jan::abreath:🌬:dandelion:
@delroth I've noticed something that might be related. this may explain how they can have the "save vs save as" option when making small changes like a crop or "enhance" photo edits. If you pick save, it doesn't make a new file but must save the image adjustment data in a similar manner. I'm sure digging into a larger data sample size could turn up some more info
Pierre Bourdon
@Crazypedia that's the Google Photos crop tool which I'm pretty sure is different from the screenshot crop tool (and not vulnerable).
Pierre Bourdon
PoC author @retr0id published his writeup about how the bug was found, I strongly encourage you to give it a read and a follow: https://www.da.vidbuchanan.co.uk/blog/exploiting-acropalypse.html
Émilie Fecteau
@delroth If iOS has a similar bug, I am screwed, lol. But I’ve always thought something like this *might* be possible, so maybe it’s fine.
Émilie Fecteau
@frankie 👆 I guess we’ve gotta make sure our screenshots are JPEGs… https://mastodon.delroth.net/@delroth/110043776803548821 
David Buchanan
Erik Haugen
@delroth Yeah, without being a zlib expert, I think the smaller the crop the more likely the original is recoverable.
S Nielsen
@delroth Wow... that's incredible level of bad. I'm now sitting here wondering if it's really Pixel specific or not... and if other screenshot solutions suffer from a similar problem, or Google did something very silly... At least it seems like it has been fixed in the 2023 March update.... for future screenshots (presumably)...
Pierre Bourdon
@simonlbn "future" indeed, since the 2023 March update isn't available publicly for Pixel 6 / 6 Pro at this point. Yes, despite the fact that Project Zero dropped 5 remotely exploitable vulns for those devices yesterday. 
Diego Elio Pettenò
Pierre Bourdon
@flameeyes @simonlbn at least your data mostly gets leaked to various companies and gov orgs in China, not your stalkers and random people online :-) (But really, having worked on projects close to Android security in the past - Huawei devices have had some absolutely bonkers backdoors.)  
The Skeptic's Book of Lists
@delroth So if I crop "thesebooksImselling.png" because I want to get rid of my nasty bare feet in the photo I put on ebay, the cropped version just gets written to the top of the PNG file and but the original data is still present but not normally readable. Interesting!
Pierre Bourdon
@NekoEd no idea -- another reason why it would be great if Google actually released information... I've only seen confirmation for Pixel screenshots. However the root cause of the vulnerability is a behavior change in AOSP which could potentially have similar effects for other apps (https://issuetracker.google.com/issues/180526528).
ʟ·ɪɴᴀᴅꪮᴩᴛé 🌴
@delroth
augmented jungle
@delroth
augmented jungle
@delroth I tried uploading some crops to the site and it didn't return anything, on PC it says the file is not a PNG. It turns out my crops were saved as a separate JPEG and with a different name (IMG_* instead of Screenshot_*) I'm using CrDroid, which I just realized is LineageOS based, so that might be it. 
Simon Müller :sparkles_trans:
@instereo256 note this only happens with Google's markup screenshot editor, not what crDroid ships (I am ALSO using crDroid, if that matters)
Nicolás Alvarez
@instereo256 @delroth it applies to the Markup app normally only available on Pixel phones, if the custom ROM is sideloading that app then it's vulnerable too
Simon Müller :sparkles_trans:
@delroth this apparently works even when sideloading their Markup screenshot editor on Non-Pixel devices. Scary stuff. 
Hector Martin
@delroth This is where I'm lucky I've been using LineageOS without that tool... Seriously though, WTF. That's completely ridiculous *and* implies not just a security snafu but also violating standard POSIX safe overwrite hygiene (write out a new file and replace).
re:fi.64 :bisexual:
@marcan (It's not clear to me if the local storage implementation *does* do write-to-file-copy-and-rename tricks or similar, but this is basically entirely outside the hands of the application)
Barney Laurance
@delroth The most surprising thing to me is that it apparently took 5 years for anyone willing to publish to go looking for these pixels. Do we know what code module has the bug and whether it could be used anywhere else that isn't a Pixel phone? 
Ondřej Pokorný
sporksmith :unicycle: :rust:
@delroth
sporksmith :unicycle: :rust:
@delroth
Pierre Bourdon
@mylan it should be part of the March security update which got rolled out to Pixel 7 earlier this week. Still no update for Pixel 6 though...
Mylan
@delroth ah that explains it. Sorry if this was explained earlier I tried to read it all. Definitely don't mean to downplay the severity of it, this is kinda wild. I've certainly cropped screenshots because of sensitive info and nowhere we are. Hopefully those screenshots aren't floating around somewhere anymore 🙄
pcyx
@mylan @delroth For me it worked on my pixel 7 with a screenshot I took a minute ago. Revealed the deleted portion of the screen. Phone is fully up to date according to settings app. I have not received the march security update yet, though, so it seems they haven't rolled it out to everyone. Thankfully I have only had a Pixel for a week, and have never used that tool to crop. But I imagine there are millions, if not billions of screenshots in the wild suffering from this. Yikes... 
EricLaw
Fiddler's "Show Image Bloat" extension already flags CVE-2023-21036 / acropalypse untruncated images, as the untruncated bytes at the end are bloat! https://www.telerik.com/blogs/identifying-image-bloat-part-two
ollibaba
@delroth That sounds a bit like the challenge from Underhanded C Contest 2008 (http://www.underhanded-c.org/_page_id_17.html): > write a short, simple C program that redacts (blocks out) rectangles in an image.  
Eddie Coldrick 💻
@delroth Ah! Disaster. What about editing with the pen tool? I imagine that must overwrite? Just thinking of all the screenshots I have made on my Pixel. And I hope bird site, Mastodon, WhatsApp, etc. don't use the og files, so this can't be done?
Nicolás Alvarez
Simon Kowalewski
@delroth How can people not notice for 5 years that cropping a tiny bit out of a 1 meg PNG yields a 1 meg PNG? Or is just nobody using Pixel phones? 
AT-AT Assault :verifiedtrans:
Most people aren't checking the file sizes of their phone based files. Especially since that's not data that is presented to you by default. Unlike, say, if I were to open an explorer window in Windows, go to a file, edit it drastically, and instantly see the file size info change in explorer. 
PrivateGER :owo:
@delroth@mastodon.delroth.net AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA :nekothisisfine:
Christoph Thiede :verified:
@delroth Unable to reproduce for screenshots from last year taken on my Pixel 5.
Rainer Müller
@LinqLover @delroth It depends on which tool you used to crop them. As I understand it, only the screenshot editor of the Pixel phones did it wrong. If you used anything else like Google Photos to crop the screenshot, there should be no problem.
Christoph Thiede :verified:
  
Frosty ❄️🌨️ Whiskateers =OωO=
@delroth decided to give it a try myself. First two images are before and after with an old screenshot. Tried a newer screenshot from yesterday and got this message instead.
the clownward spiral
@delroth > lol. lmao  
Pierre Bourdon
@protofoxriley heh, at least you don't have 5 years of potential leaks to think about...
Super Riley RPG Remastered
@delroth very true, which is lucky for me, unless iOS devices start having this issue 😳
http :verified:
@delroth Don't forget that on iOS you can simply click "Revert" to undo any cropping, even years later, unless you transferred the image without full image data.
http :verified:
@nicolas17 @delroth It is. Apple uses the HEIC format for images. That also contains the video for "Live" photos and tons of more stuff. 
Kevan
@delroth @Femtoduino But this seems serious and preventable. I figured they had better security/privacy implementation. Good to know.
Christian Hagenest
@delroth Well, I'm certainly happy to have used the Pixel Experience custom rom. Serves me right for installing even more spyware on my phone, I guess 
Matt Cengia
@delroth Google has communicated this, for some value of "communicate": https://source.android.com/docs/security/bulletin/pixel/2023-03-01#pixel mentions CVE-2023-21036. My device isn't currently offering me this update, however.
Pierre Bourdon
@mattcen the only reason we know what CVE-2023-21036 even is is thanks to the researchers releasing info... this does not count as communicating anything.
Mx. Toffer D Brutechild HSD-SC
@delroth did we not all learn how dangerous this was from Catherine Schwartz?
Kneebiter
@delroth @suricrasia For what it's worth, this is also an issue with the way Microsoft Word 'crops' images. Word just changes the dimensions of the display area. The uncropped image is easy to view by unzipping the docx. 
Slips
@delroth@mastodon.delroth.net i wonder if this applies to just Pixels or any cropping done with Android tools. 
Sojourn :coffefiedyellow:
@delroth yay, using a custom ROM based off of AOSP and using the stock cropping tool, I'm immune to security issues :) Thanks @grapheneos |
Gregory's Server
I tried it on a screenshot from just a week ago. This is absolutely scary.
First image is the screenshot I saved after cropping. Second is what the demo app managed to recover.