At the beginning of March, Google released an update for its flagship Pixel smartphones to patch a vulnerability in the devices’ default photo-editing tool, Markup. Since its 2018 introduction in Android 9, Markup’s photo-cropping tool had been quietly leaving data in a cropped image file that could be used to reconstruct some or all of the original image beyond the confines of the crop. Though now fixed, the vulnerability is significant because Pixel users have for years been making, and in many cases presumably sharing, cropped images that may still contain the private or sensitive data the user was attempting to eliminate. But it gets worse.
The bug, dubbed “aCropalypse,” was discovered and originally submitted to Google by security researcher and college student Simon Aarons, who collaborated on the work with fellow reverse engineer David Buchanan. The pair were stunned to discover this week that a very similar version of the vulnerability is also present in other photo-cropping utilities from a totally separate yet equally ubiquitous codebase: Windows. The Windows 11 Snipping Tool and Windows 10 Snip & Sketch tool are vulnerable in cases where a user takes a screenshot, saves it, crops the screenshot, and then saves the file again. Photos cropped with Markup, meanwhile, retained too much data even when the user applied the crop before first saving the photo.
Microsoft told WIRED on Wednesday that it is “aware of these reports” and that it is “investigating,” adding, “we will take action as needed.”
“It was pretty mind-blowing really, it was as if lightning had just struck twice,” says Buchanan. “The original Android vulnerability was already surprising enough that it hadn’t been discovered already. It was quite surreal.”
Now that the vulnerabilities are out in the open, researchers have started uncovering old discussions on programming forums where developers noticed the odd behavior of the cropping tools. But Aarons seems to have been the first to recognize the potential security and privacy implications—or at least the first to bring the findings to Google and Microsoft.
“I actually noticed it at about 4 in the morning by total accident when I spotted that a small screenshot I sent of white text on a black background was a 5 MB file, and that didn’t seem right to me,” Aarons says.
Images impacted by aCropalypse often can’t be completely recovered, but they can be substantially reconstructed. Aarons provided examples, including one in which he was able to recover his credit card number after he attempted to crop it out of a photo. In short, there is a population of photos out there that contain more information than they should—specifically, information that someone intentionally tried to remove.
Microsoft hasn’t issued any fixes yet, but even those released by Google don’t mitigate the situation for existing image files cropped in the years when the tool was still vulnerable. Google points out, though, that image files shared on some social media and communication services may automatically strip out the errant data.
“As part of their existing compression process, apps and websites that recompress images, like Twitter, Instagram, or Facebook, delete extra data automatically from images uploaded. Images posted to sites like these are not at risk,” Google spokesperson Ed Fernandez says in a statement.
The researchers point out, though, that this is not true of all platforms, including Discord.
As a Discord user, Buchanan say he kept seeing people posting cropped screenshots, and it was really hard to not say anything before the vulnerability was publicly disclosed.
Steven Murdoch, a professor of security engineering at University College London, notes that in 2004 he discovered a vulnerability in which an older version of an image was stored in the thumbnail data for the image even after it had been altered.
“This isn’t the first time I’ve seen this sort of vulnerability,” Murdoch says. “And I think the reason is because when software is written, it’s tested to make sure that the thing you expect is there. You save an image, you can open the image, and then you’re done. What is not checked is whether there is accidentally extra data stored.”
The thumbnail vulnerability Murdoch found in 2004 was conceptually similar to aCropalypse from a data privacy standpoint but had very different technical underpinnings because of issues in application programming interface design. And Murdoch emphasizes that while he sees aCropalypse as a problem for users whose affected photos are already out in the world, its biggest impact may come from the discussions it has raised about how to promote better security practices in API development and implementation.
“This has triggered some interesting conversations about API design and what do you do to teach people to avoid this sort of vulnerability in the future? This is not something that we train people to deal with,” Murdoch says. “It’s not one of these ‘sky is falling’ vulnerabilities, but it’s not good.”