The Beginning of March, Google release an update for its flagship Pixel smartphones to patch a vulnerability in the device’s default photo-editing tool, Markup. Since its introduction in 2018 in Android 9, Markup’s crop tool has quietly left behind data in a cropped image file that can be used to reconstruct some or all of the original image. beyond the limit of the cut. While now fixed, this vulnerability is critical as Pixel users have created over many years and in many cases presumably shared, cropped images may still contain private or sensitive data. the feeling the user is trying to remove. But it got worse.
The bug, dubbed “aCropalypse,” was discovered and originally submitted to Google by security researcher and college student Simon Aarons, who collaborated on the work with fellow reverse engineer David Buchanan. The pair were shocked to discover this week that a similar version of the vulnerability appeared in other cropping utilities from a completely separate but equally popular codebase: Windows. Windows 11 Snipping Tool and Windows 10 Snip & Sketch tool are vulnerable in case users take a screenshot, save the screenshot, crop the screenshot and then save the file. Meanwhile, images cropped with Markup retain too much data even when the user applies the crop before saving the image for the first time.
Microsoft told WIRED on Wednesday that it was “aware of these reports” and that it was “investigating,” adding, “we will act as necessary.”
Buchanan said: “It was really amazing, it was like lightning struck twice. “The original Android vulnerability was so surprising that it went undetected. It’s pretty surreal.
Now that the vulnerabilities have been made public, the researchers have begun Discover old discussions on programming forums, where developers notice weird behavior of the cropping tools. But Aarons seems to have been the first to realize the potential security and privacy implications—or at least the first to take these findings to Google and Microsoft.
“I actually noticed it around 4am by accident when I discovered that a small screenshot I had sent with white text on a black background was a 5MB file and that had doesn’t look right to me,” Aarons said.
Images affected by aCropalypse are usually not fully recoverable, but they can be essentially reconstructed. Aron example provided, including one where he was able to recover his credit card number after he tried to cut it out of the photo. In short, there are a lot of photos that contain more information than is necessary—namely, information that someone intentionally deleted.
Microsoft hasn’t released any fixes yet, but even those released by Google don’t mitigate the situation for existing image files that were garbled in the years when the tool was still vulnerable. . However, Google points out that image files shared on some social media and social networking services can automatically remove false data.
