aCropalypse

"Acropalypse" redirects here. Not to be confused with acropolis.

aCropalypse

CVE identifier(s)	CVE-2023-21036
Date discovered	January 2, 2023; 15 months ago (2023-01-02)
Date patched	January 24, 2023; 14 months ago (2023-01-24)
Discoverer	Simon Aarons and David Buchanan
Affected software	Markup, Snip & Sketch for Windows 10, and Snipping Tool for Windows 11

aCropalypse (CVE 2023-21036) was a vulnerability in Markup, a screenshot editing tool introduced in Google Pixel phones with the release of Android Pie. The vulnerability, discovered in 2023 by security researchers Simon Aarons and David Buchanan, allows an attacker to view an uncropped and unaltered version of a screenshot. Following aCropalypse's discovery, a similar zero-day^[1] vulnerability was also discovered, affecting Snip & Sketch for Windows 10 and Snipping Tool for Windows 11.

Background

Further information: Android Pie

In 2018, Android Pie—the ninth major release of Android—was released. With the release of Android Pie, Google Pixel phones beginning with the Pixel 3 received a new screenshot editor known as Markup. The editor allows a user to crop screenshots and alter them using on-screen elements, such as a pen and highlighter.^[2] Users can then save these screenshots to Google Photos or save them locally on their device.^[3]

Discovery and usage

aCropalypse was discovered by Simon Aarons and David Buchanan, two security researchers.^[4] It had previously been submitted to Google's issue tracker by Lucy Phipps on August 11, 2022.^[5] Aarons reportedly discovered the bug when he noticed that the file size for a screenshot he took of white text on a black background was abnormally large.^[6] A website was created where users can submit cropped or altered images to reveal the original.^[7]

Behavior

aCropalypse exploits a vulnerability within Markup. Upon saving a cropped screenshot in Markup, the altered image is saved in the same location as the original image.^[8] The image is created using the ParcelFileDescriptor.open() function; the function is called using the "w" argument to ParcelFileDescriptor.parseMode(), representing "write", when "wt" should have been passed instead, truncating the original image.^[9] Although the image is not created using ParcelFileDescriptor.parseMode(), but rather ParcelFileDescriptor.open(), the former converts an argument into a bitmask for the latter.^[10] In similar functions, such as the C function fopen, using the "w" argument will automatically truncate the file to zero length.^[11] The use of "w" was implemented in Android 10 as an undocumented^[12] change.^[4]

Markup uses zlib, a compression library that utilizes deflate compression, itself based on the lossless data compression algorithms LZ77 and LZ78, where each bit of data references the last, and dynamic Huffman coding, where a Huffman tree is defined at the start of the block. The Huffman tree in Markup screenshots are respecified every 16 kilobytes. The initial exploit for aCropalypse precomputed a list of 8 bytestrings and passed them to zlib, in order to start from a specific bit offset. Additionally, the initial exploit prefixed the image stream with 32 KB of the ASCII character "X".^[9]

Mitigation

An internal patch for aCropalypse was finalized on January 24, 2023,^[4] although a fix only began rolling out in a security patch^[8] released on March 13, 2023.^[13] Certain social media sites, including Twitter, automatically truncate uploaded images, although others do not. One such site, Discord, mitigated the vulnerability January 17, 2023.^[7] Cloudflare addressed the issue in JPEG files by checking the end-of-image marker in libjpeg-turbo for Rust and in PNG files with lodepng.^[14]

Impact

aCropalypse affects Google Pixel phones running Android 10, released in September 2019.^[15] Affected photos could include credit card numbers and other private photos.^[16] By the time the vulnerability was disclosed, multiple devices, including the Pixel 3 and 3a, Pixel 4, Pixel 5, and Pixel 6 and 6a, had not received the update, thus rendering them vulnerable.^[17]

On March 21, software engineer Chris Blume noted that the Snipping Tool in Windows 11 results in a file size equal to a cropped version of the same image.^[18] Using this, Buchanan discovered that the Snipping Tool in Windows 11, as well as Windows 10's Snip & Sketch, were susceptible to the same exploit, although not the Win32 Snipping Tool in Windows 10.^[19]

References

1. Cunningham, Andrew (March 22, 2023). ""Acropalypse" Android screenshot bug turns into a 0-day Windows vulnerability vulnerability". Ars Technica. Retrieved March 23, 2023.
2. Gao, Richard (March 7, 2018). "Android P feature spotlight: Screenshot editing is now native with 'Markup'". Android Police. Retrieved March 21, 2023.
3. Maring, Joe (August 8, 2018). "How to take screenshots in Android Pie". Android Central. Retrieved March 21, 2023.
4. Wang, Jules (March 18, 2023). "Severe exploit could expose sensitive data on Pixel screenshots previously cropped". Android Police. Retrieved March 21, 2023.
5. "builtin screenshot cropping tool writes junk data". August 11, 2022. Retrieved March 29, 2023.
6. Hay Newman, Lily (March 22, 2023). "Some Photo-Cropping Apps Are Exposing Your Secrets". Wired. Retrieved March 22, 2023.
7. Roth, Emma (March 19, 2023). "Google Pixel exploit reverses edited parts of screenshots". The Verge. Retrieved March 21, 2023.
8. Li, Abner (March 18, 2023). "Pixel Markup vulnerability lets some screenshots be un-redacted, un-cropped; fixed by March update". 9to5Google. Retrieved March 21, 2023.
9. Buchanan, David (March 18, 2023). "Exploiting aCropalypse: Recovering Truncated PNGs". Retrieved March 21, 2023.
10. Vigliarolo, Brandon (March 20, 2023). "Privacy fail: Pictures cropped, redacted by Google Pixel phones can be recovered". The Register. Retrieved March 21, 2023.
11. "fopen(3)". Linux manual. March 22, 2021. Retrieved March 21, 2023.
12. Amadeo, Ron (March 20, 2023). "Google Pixel bug lets you "uncrop" the last four years of screenshots". Ars Technica. Retrieved March 21, 2023.
13. Li, Abner (March 13, 2023). "March Pixel Feature Drop with Android 13 QPR2 now rolling out". 9to5Google. Retrieved March 21, 2023.
14. Skehin, Nicholas (July 10, 2023). "How Cloudflare Images addressed the aCropalypse vulnerability". Cloudflare. Retrieved July 11, 2023.
15. Hager, Ryne (September 3, 2019). "Android 10 is rolling out to Pixels starting today". Android Police. Retrieved March 21, 2023.
16. Cuthbertson, Anthony (March 20, 2023). "Google 'acropalypse' lets users see hidden parts of images". The Independent. Retrieved March 21, 2023.
17. Bonifacic, Igor (March 21, 2023). "Google Pixel vulnerability allows bad actors to undo Markup screenshot edits and redactions". Engadget. Retrieved March 21, 2023.
18. Abrams, Lawrence (March 21, 2023). "Windows 11 Snipping Tool privacy bug exposes cropped image content". Bleeping Computer. Retrieved March 21, 2023.
19. Clark, Mitchell (March 21, 2023). "Oops, Windows' screenshot tool may be saving stuff you cropped out, too". The Verge. Retrieved March 21, 2023.