at first In March, Google updated its flagship Pixel smartphones to fix a vulnerability in Markup, the devices’ default photo editing tool. In the year With the introduction of Android 9 in 2018, Markup’s photo cropping tool quietly left behind information in a cropped image file that could be used to reconstruct some or all of the original image beyond the crop boundary. Although it’s now fixed, the vulnerability is significant because Pixel users have been doing it for years, and in many cases, presumably, cropped images may still contain personal or sensitive data that the user wants to delete. But it gets worse.
The bug was named “aCropalypse” and was first reported to Google by security researcher and college student Simon Aarons, who collaborated on the project with reverse engineer David Buchanan. The pair were surprised to learn this week that a very similar version of the vulnerability also exists in other photo-processing utilities from an entirely different but ubiquitous code base: Windows. The Windows 11 Snipping Tool and Windows 10 Snip & Sketch tool are vulnerable when the user takes a screenshot, saves it, trims the script, and saves the file again. Photos cropped with Markup, meanwhile, retain too much data, even when the user applies the crop before first saving the photo.
Microsoft told WIRED on Wednesday that it was “aware of these reports” and “is investigating,” adding that “we will take action as necessary.”
“It was really mind-blowing, like lightning struck twice,” says Buchanan. “The first Android vulnerability was surprising because it was not already discovered. It really was. “
Now that the vulnerabilities are out in the open, researchers are starting to uncover old threads on programming forums where developers have noticed the unusual behavior of crop tools. But Aarons appears to be the first to recognize the potential security and privacy implications — or at least the first to bring his findings to Google and Microsoft.
“When I accidentally sent a small script at 4 a.m. with white text on a black background and it was a 5 megabyte file, it just didn’t feel right to me,” Aarons says.
Images damaged by the Akropalypse cannot be fully restored, but they can be substantially reconstructed. Aarons He provided examplesIncluding the one where he managed to retrieve his credit card number after trying to crop it out of a photo. In short, there are more photos than there should be – especially information that someone has deliberately tried to remove.
Microsoft hasn’t made any fixes yet, but even the ones released by Google don’t cut it for existing image files that were corrupted years ago when the device was still vulnerable. Google notes that image files shared on some social media and communication services may automatically extract incorrect information.
