acropalypse

Earlier this month, details emerged about a flaw with Pixel phones’ Markup tool for editing screenshots. Dubbed ‘aCropalypse,’ the flaw allowed malicious actors to restore some or all of a cropped or redacted image.

Now it appears Windows 11 is impacted by a similar flaw.

Developer Chris Blume uncovered that the Windows 11 Snipping Tool is vulnerable to a similar exploit as was used for aCropalypse and shared the finding with Simon Aarons, one of the reverse engineers who discovered aCropalypse, on Twitter.

I've got a fun one for you all to look at.

I opened a 198 byte PNG with Microsoft's Snipping Tool, chose “Save As” to overwrite a different PNG file (no editing), and saves a 4,762 byte file with all that extra after the PNG IEND chunk.

Sounds similar 😀

— Chris Blume (@ProgramMax) March 21, 2023

Bleeping Computer verified the exploit with David Buchanan, the other reverse engineer behind aCropalypse, and found that a slightly modified version of the script Buchanan made to extract hidden info from an edited Pixel screenshot worked on the Windows 11 Snipping Tool.

As with Pixel’s Markup software, the Snipping tool doesn’t completely erase unused parts of the PNG image data, such as parts of the image that are cropped out. This data can be partially or fully recovered.

holy FUCK.

Windows Snipping Tool is vulnerable to Acropalypse too.

An entirely unrelated codebase.

The same exploit script works with minor changes (the pixel format is RGBA not RGB)

Tested myself on Windows 11 https://t.co/5q2vb6jWOn pic.twitter.com/ovJKPr0x5Y

— David Buchanan (@David3141593) March 21, 2023

However, it’s worth noting that the problem doesn’t impact all PNG files captured with the Snipping Tool, with optimized images being among those unaffected. Moreover, JPEG files also leave behind data, but so far, the exploit isn’t known to work with that file format. Finally, images that have been saved as another file in an image editing tool should be safe as well.

Microsoft told Bleeping Computer it was “aware of these reports and [is] investigating,” and it will take necessary action to protect users.

The flaw doesn’t appear to impact the Windows 10 Snipping Tool. Moreover, Buchanan isn’t publishing the modified scripts for the Windows 11 Snipping Tool since Microsoft hasn’t had a chance to patch it.

Meanwhile, Windows 11 users will want to be careful with what they capture using the Snipping Tool and where they share images. The main concern here is that someone might capture sensitive information in a screenshot and crop it out, but a malicious actor could restore the information using the modified aCropalypse script.

It’s worth noting that Google already pushed out a patch for aCropalypse to Pixel phones, but it doesn’t fix screenshots captured before the update.

Source: Chris Blume, David Buchanan, Bleeping Computer, Via: Engadget

The March security update that rolled out earlier this month included some fixes for major vulnerabilities on Google’s Pixel smartphone line.

There was a patch for an exploit with Samsung-made modems that could allow attackers to access data like phone calls or text messages using only the victim’s phone number. However, that wasn’t the only major vulnerability. The March update also includes a fix for a high-severity flaw with the Pixel Markup tool for editing screenshots. In short, the flaw leaves data in the image file that could allow malicious actors to partially restore images that were cropped or edited.

Dubbed ‘aCropalypse,’ details emerged over the weekend courtesy of Simon Aarons and David Buchanan, reverse engineers who uncovered the flaw. Aarons posted an image showing how aCropalypse can be used to recover an image on Twitter — the image shows a cropped, redacted photo of a credit card shared in a chat, and then the recovered image that includes the unredacted credit card number. Meanwhile, Buchanan posted a blog post with a technical breakdown of the exploit — if you’re curious how, exactly, aCropalype works, it’s worth a read.

Introducing acropalypse: a serious privacy vulnerability in the Google Pixel's inbuilt screenshot editing tool, Markup, enabling partial recovery of the original, unedited image data of a cropped and/or redacted screenshot. Huge thanks to @David3141593 for his help throughout! pic.twitter.com/BXNQomnHbr

— Simon Aarons (@ItsSimonTime) March 17, 2023

The flaw has existed for about five years. Markup was released in 2018 as part of Android 9 Pie, so it seems like aCropalypse has been around basically since the beginning. Although the March security patch fixes the problem for future images, edited screenshots taken prior to the patch are still vulnerable.

However, it’s hard to say just how worried Pixel owners should be. Aarons and Buchanan have a FAQ page coming — though at the time of writing, it wasn’t live — that should help explain some of the details. One important piece of information the duo shared with The Verge and 9to5Google is that some websites, like Twitter, process images in such a way that they aren’t vulnerable to aCropalypse. Not everything is like this, though — the pair pointed out Discord as an example, which didn’t patch out the vulnerability until January 17th.

With that in mind, it’s probably best to assume any screenshot you’ve taken and edited on a Pixel phone in the last five or so years could be reverse-engineered to recover the edited parts of the image.

Moreover, the March patch only rolled out to the Pixel 4a, 5a, 7 and 7 Pro, with the update delayed for the Pixel 6 series (though it’s supposed to roll out on March 20th).

You can learn more about the aCropalypse exploit here or try a demo of it here.

Source: Aarons, Buchanan, Via: The Verge