Login
Login

ACropalypse

{{Lowercase title}}

{{Short description|2023 screenshot vulnerability}}

{{Redirect-distinguish|Acropalypse|acropolis}}

{{Infobox bug

| name = aCropalypse

| CVE = {{CVE|2023-21036|link=no}}

| discovered = {{Start date and age|2023|01|02}}

| patched = {{Start date and age|2023|01|24}}

| discoverer = Simon Aarons and David Buchanan

| affected software = Markup, Snip & Sketch for Windows 10, and Snipping Tool for Windows 11

}}

aCropalypse (CVE-2023-21036) was a vulnerability in Markup, a screenshot editing tool introduced in Google Pixel phones with the release of Android Pie. The vulnerability, discovered in 2023 by security researchers Simon Aarons and David Buchanan, allows an attacker to view an uncropped and unaltered version of a screenshot. Following aCropalypse's discovery, a similar zero-day{{Cite web |url=https://arstechnica.com/information-technology/2023/03/windows-10-and-11-get-their-own-version-of-the-acropalypse-screenshot-bug/ |title="Acropalypse" Android screenshot bug turns into a 0-day Windows vulnerability |date=March 22, 2023 |last=Cunningham |first=Andrew |work=Ars Technica |access-date=March 23, 2023}} vulnerability was also discovered, affecting Snip & Sketch for Windows 10 and Snipping Tool for Windows 11.

Background

{{See|Android Pie}}

In 2018, Android Pie—the ninth major release of Android—was released. With the release of Android Pie, Google Pixel phones beginning with the Pixel 3 received a new screenshot editor known as Markup. The editor allows a user to crop screenshots and alter them using on-screen elements, such as a pen and highlighter.{{Cite web |url=https://www.androidpolice.com/2018/03/07/android-p-feature-spotlight-screenshot-editing-now-native-markup/ |title=Android P feature spotlight: Screenshot editing is now native with 'Markup' |date=March 7, 2018 |last=Gao |first=Richard |work=Android Police |access-date=March 21, 2023}} Users can then save these screenshots to Google Photos or save them locally on their device.{{Cite web |url=https://www.androidcentral.com/how-take-screenshots-android-p |title=How to take screenshots in Android Pie |date=August 8, 2018 |last=Maring |first=Joe |work=Android Central |access-date=March 21, 2023}}

Discovery and usage

aCropalypse was discovered by Simon Aarons and David Buchanan, two security researchers. It had previously been submitted to Google's issue tracker by Lucy Phipps on August 11, 2022.{{Cite web |url=https://issuetracker.google.com/issues/241936678 |title=builtin screenshot cropping tool writes junk data |date=August 11, 2022 |access-date=March 29, 2023}} Aarons reportedly discovered the bug when he noticed that the file size for a screenshot he took of white text on a black background was abnormally large.{{Cite magazine |url=https://www.wired.com/story/acropalyse-google-markup-windows-photo-cropping-bug/ |title=Some Photo-Cropping Apps Are Exposing Your Secrets |date=March 22, 2023 |last=Hay Newman |first=Lily |magazine=Wired |access-date=March 22, 2023}} A website was created where users can submit cropped or altered images to reveal the original.{{Cite web |url=https://www.theverge.com/2023/3/19/23647120/google-pixel-acropalypse-exploit-cropped-screenshots |title=Google Pixel exploit reverses edited parts of screenshots |date=March 19, 2023 |last=Roth |first=Emma |work=The Verge |access-date=March 21, 2023}}

Behavior

aCropalypse exploits a vulnerability within Markup. Upon saving a cropped screenshot in Markup, the altered image is saved in the same location as the original image.{{Cite web |url=https://9to5google.com/2023/03/18/pixel-markup-screenshot-vulnerability/ |title=Pixel Markup vulnerability lets some screenshots be un-redacted, un-cropped; fixed by March update |date=March 18, 2023 |last=Li |first=Abner |work=9to5Google |access-date=March 21, 2023}} The image is created using the {{Java|ParcelFileDescriptor.open()}} function; the function is called using the {{Java|"w"}} argument to {{Java|ParcelFileDescriptor.parseMode()}}, representing "write", when {{Java|"wt"}} should have been passed instead, truncating the original image.{{Cite web |url=https://www.da.vidbuchanan.co.uk/blog/exploiting-acropalypse.html |title=Exploiting aCropalypse: Recovering Truncated PNGs |date=March 18, 2023 |last=Buchanan |first=David |access-date=March 21, 2023}} Although the image is not created using {{Java|ParcelFileDescriptor.parseMode()}}, but rather {{Java|ParcelFileDescriptor.open()}}, the former converts an argument into a bitmask for the latter.{{Cite web |url=https://www.theregister.com/2023/03/20/google_pixel_acropalypse/ |title=Privacy fail: Pictures cropped, redacted by Google Pixel phones can be recovered |date=March 20, 2023 |last=Vigliarolo |first=Brandon |work=The Register |access-date=March 21, 2023}} In similar functions, such as the C function fopen, using the {{C-lang|"w"}} argument will automatically truncate the file to zero length.{{Cite web |url=https://man7.org/linux/man-pages/man3/fopen.3.html |title=fopen(3) |date=March 22, 2021 |publisher=Linux manual |access-date=March 21, 2023}} The use of {{Java|"w"}} was implemented in Android 10 as an undocumented{{Cite web |url=https://arstechnica.com/gadgets/2023/03/google-pixel-bug-lets-you-uncrop-the-last-four-years-of-screenshots/ |title=Google Pixel bug lets you "uncrop" the last four years of screenshots |date=March 20, 2023 |last=Amadeo |first=Ron |work=Ars Technica |access-date=March 21, 2023}} change.{{Cite web |url=https://www.androidpolice.com/android-pixel-markup-exploit-discord-acropalypse/ |title=Severe exploit could expose sensitive data on Pixel screenshots previously cropped |date=March 18, 2023 |last=Wang |first=Jules |work=Android Police |access-date=March 21, 2023}}

Markup uses zlib, a compression library that utilizes deflate compression, itself based on the lossless data compression algorithms LZ77 and LZ78, where each bit of data references the last, and dynamic Huffman coding, where a Huffman tree is defined at the start of the block. The Huffman tree in Markup screenshots are respecified every 16 kilobytes. The initial exploit for aCropalypse precomputed a list of 8 bytestrings and passed them to zlib, in order to start from a specific bit offset. Additionally, the initial exploit prefixed the image stream with 32 KB of the ASCII character "X".

Mitigation

An internal patch for aCropalypse was finalized on January 24, 2023, although a fix only began rolling out in a security patch released on March 13, 2023.{{Cite web |url=https://9to5google.com/2023/03/13/android-13-qpr2-pixel-feature-drop/ |title=March Pixel Feature Drop with Android 13 QPR2 now rolling out |date=March 13, 2023 |last=Li |first=Abner |work=9to5Google |access-date=March 21, 2023}} Certain social media sites, including Twitter, automatically truncate uploaded images, although others do not. One such site, Discord, mitigated the vulnerability on January 17, 2023. Cloudflare addressed the issue in JPEG files by checking the end-of-image marker in libjpeg-turbo for Rust and in PNG files with lodepng.{{Cite web |url=https://blog.cloudflare.com/how-cloudflare-images-addressed-the-acropalypse-vulnerability/ |title=How Cloudflare Images addressed the aCropalypse vulnerability |date=July 10, 2023 |last=Skehin |first=Nicholas |publisher=Cloudflare |access-date=July 11, 2023}}

Impact

aCropalypse affects Google Pixel phones running Android 10, released in September 2019.{{Cite web |url=https://www.androidpolice.com/2019/09/03/android-10-is-rolling-out-to-pixels-starting-today/ |title=Android 10 is rolling out to Pixels starting today |date=September 3, 2019 |last=Hager |first=Ryne |work=Android Police |access-date=March 21, 2023}} Affected photos could include credit card numbers and other private photos.{{Cite web |url=https://www.independent.co.uk/tech/google-pixel-crop-acropalypse-security-b2304504.html |title=Google 'acropalypse' lets users see hidden parts of images |date=March 20, 2023 |last=Cuthbertson |first=Anthony |work=The Independent |access-date=March 21, 2023}} By the time the vulnerability was disclosed, multiple devices, including the Pixel 3 and 3a, Pixel 4, Pixel 5, and Pixel 6 and 6a, had not received the update, thus rendering them vulnerable.{{Cite web |url=https://www.engadget.com/google-pixel-vulnerability-allows-bad-actors-to-undo-markup-screenshot-edits-and-redactions-195322267.html |title=Google Pixel vulnerability allows bad actors to undo Markup screenshot edits and redactions |date=March 21, 2023 |last=Bonifacic |first=Igor |work=Engadget |access-date=March 21, 2023}}

On March 21, software engineer Chris Blume noted that the Snipping Tool in Windows 11 results in a file size equal to a cropped version of the same image.{{Cite web |url=https://www.bleepingcomputer.com/news/microsoft/windows-11-snipping-tool-privacy-bug-exposes-cropped-image-content/ |title=Windows 11 Snipping Tool privacy bug exposes cropped image content |date=March 21, 2023 |last=Abrams |first=Lawrence |work=Bleeping Computer |access-date=March 21, 2023}} Using this, Buchanan discovered that the Snipping Tool in Windows 11, as well as Windows 10's Snip & Sketch, were susceptible to the same exploit, although not the Win32 Snipping Tool in Windows 10.{{Cite web |url=https://www.theverge.com/2023/3/21/23650657/windows-snipping-tool-crop-screenshots-vulnerability |title=Oops, Windows' screenshot tool may be saving stuff you cropped out, too |date=March 21, 2023 |last=Clark |first=Mitchell |work=The Verge |access-date=March 21, 2023}}

References

{{Reflist}}

Category:2023 in computing

Category:Android (operating system) software

Category:Software bugs